Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1540571
MD5:	af0d4ef07df3fe2fddee37bde65d8665
SHA1:	7b21db5575f73d8234ef3cfaa979a858cf49efb0
SHA256:	11a7e24adcc3b0b21da14a3a74c813596ca386d104d48a492a9c5ae44f2c2d12
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AF0D4EF07DF3FE2FDDEE37BDE65D8665)

taskkill.exe (PID: 6720 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7096 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3848 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5012 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4040 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 600 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5812 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7048 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2200 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62211066-fcf4-4010-9dd2-8db042710cef} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f5db70b10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7508 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4108 -prefMapHandle 4104 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c7d6957-7151-45d2-b5b6-8f2ec3916663} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f6fd1fd10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8176 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5188 -prefMapHandle 5184 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {646331cb-5b0f-4d7b-bbca-1ef13fcf4349} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f7c525510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6644	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00CAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00CAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CAED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00CAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00C9AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CC9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_79978da8-e
Source: file.exe, 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_81fcc830-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_71a813b7-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e49783db-e

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001DA3076B037 NtQuerySystemInformation,		16_2_000001DA3076B037
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001DA307978F2 NtQuerySystemInformation,		16_2_000001DA307978F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00C9D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C9E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA2046	0_2_00CA2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C38060	0_2_00C38060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C98298	0_2_00C98298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6E4FF	0_2_00C6E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6676B	0_2_00C6676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC4873	0_2_00CC4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3CAF0	0_2_00C3CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5CAA0	0_2_00C5CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4CC39	0_2_00C4CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C66DD9	0_2_00C66DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C391C0	0_2_00C391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4B119	0_2_00C4B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C51394	0_2_00C51394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C51706	0_2_00C51706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5781B	0_2_00C5781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C519B0	0_2_00C519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4997D	0_2_00C4997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C37920	0_2_00C37920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C57A4A	0_2_00C57A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C57CA7	0_2_00C57CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C51C77	0_2_00C51C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C69EEE	0_2_00C69EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBBE44	0_2_00CBBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C51F32	0_2_00C51F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001DA3076B037	16_2_000001DA3076B037
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001DA307978F2	16_2_000001DA307978F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001DA30797932	16_2_000001DA30797932
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001DA3079801C	16_2_000001DA3079801C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C50A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C4F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@70/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA37B5 GetLastError,FormatMessageW,

0_2_00CA37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C910BF AdjustTokenPrivileges,CloseHandle,		0_2_00C910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00CA51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C9D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00CA648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C342A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1072:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1947706832.0000019F7C5C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958331433.0000019F7C5A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1958331433.0000019F7C5A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1958331433.0000019F7C5A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1958331433.0000019F7C5A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1948639037.0000019F7B0A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1958331433.0000019F7C5A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1958331433.0000019F7C5A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1958331433.0000019F7C5A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1958331433.0000019F7C5A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1958331433.0000019F7C5A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62211066-fcf4-4010-9dd2-8db042710cef} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f5db70b10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4108 -prefMapHandle 4104 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c7d6957-7151-45d2-b5b6-8f2ec3916663} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f6fd1fd10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5188 -prefMapHandle 5184 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {646331cb-5b0f-4d7b-bbca-1ef13fcf4349} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f7c525510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62211066-fcf4-4010-9dd2-8db042710cef} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f5db70b10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4108 -prefMapHandle 4104 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c7d6957-7151-45d2-b5b6-8f2ec3916663} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f6fd1fd10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5188 -prefMapHandle 5184 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {646331cb-5b0f-4d7b-bbca-1ef13fcf4349} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f7c525510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.2013959194.0000019F76E02000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000D.00000003.1996385378.0000019F6F329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 0000000D.00000003.2001968415.0000019F6F24C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2014114698.0000019F6B15F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdbC:\WINDOWS\FONTS\SEGOEUIL.TTF source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.2013471285.0000019F6F1E0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000D.00000003.1994307021.0000019F6FE8F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.2013959194.0000019F76E02000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: firefox.exe, 0000000D.00000003.2001968415.0000019F6F24C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000D.00000003.1996385378.0000019F6F329000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.2014114698.0000019F6B15F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000D.00000003.1997057366.0000019F6F2CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000D.00000003.1996722758.0000019F6F2E1000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3A430 push FFFFFFA1h; ret		0_2_00C3A44E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C50A76 push ecx; ret		0_2_00C50A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C4F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CC1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96712

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001DA3076B037 rdtsc

16_2_000001DA3076B037

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C9DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA68EE FindFirstFileW,FindClose,	0_2_00CA68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00CA698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C9D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C9D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CA9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CA979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00CA9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00CA5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Source: firefox.exe, 0000000F.00000002.2998889336.0000025456808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCb!
Source: firefox.exe, 00000010.00000002.2997895291.000001DA30C10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: firefox.exe, 00000012.00000002.2990330839.000001ACB399A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0C
Source: firefox.exe, 00000010.00000002.2997895291.000001DA30C10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: firefox.exe, 0000000F.00000002.2992497292.0000025456295000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2990585619.000001DA303DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2997895291.000001DA30C10000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2996997290.000001ACB3D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2997700359.000002545671A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.2992497292.000002545626A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 0000000F.00000002.2998889336.0000025456808000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2997895291.000001DA30C10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000010.00000002.2997895291.000001DA30C10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001DA3076B037 rdtsc

16_2_000001DA3076B037

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAEAA2 BlockInput,

0_2_00CAEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C62622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C54CE8 mov eax, dword ptr fs:[00000030h]

0_2_00C54CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00C90B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C62622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C5083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C509D5 SetUnhandledExceptionFilter,	0_2_00C509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C50C21

Source: C:\Users\user\Desktop\file.exe

0_2_00C91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C72BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C72BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9B226 SendInput,keybd_event,

0_2_00C9B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00CB22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00C90B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C91663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C91663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C50698 cpuid

0_2_00C50698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00CA8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8D27A GetUserNameW,

0_2_00C8D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C6BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C6BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6644, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6644, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00CB1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CB1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://poczta.interia.pl/mh/?mailto=%s	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.193	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.142	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.23.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000D.00000003.1994307021.0000019F6FE97000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1988907531.0000019F71459000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2010818898.0000019F7145D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837173890.0000019F6FD0D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1996614685.0000019F6F2FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2991523446.000001DA306C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2991524900.000001ACB3CC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2993744896.00000254566CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2991523446.000001DA306E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2997549268.000001ACB3F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1833433555.0000019F759AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834209684.0000019F759B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832798847.0000019F759B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910253870.0000019F75981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926775955.0000019F759A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919195414.0000019F75981000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.2991524900.000001ACB3C8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.comP	firefox.exe, 0000000D.00000003.2012698325.0000019F6FEB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1982283310.0000019F6FEB1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1955351143.0000019F75A7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2013471285.0000019F6F1E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991671688.0000019F70020000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.2002483784.0000019F6F1FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1788864335.0000019F6B262000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789058793.0000019F6B283000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788664558.0000019F6B240000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788474878.0000019F6B21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788298351.0000019F6D700000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1853799187.0000019F76938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951320621.0000019F769A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960878459.0000019F769A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1958331433.0000019F7C5A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1955351143.0000019F75A24000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1989352843.0000019F71265000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788864335.0000019F6B262000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1935698180.0000019F6F5BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789058793.0000019F6B283000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788664558.0000019F6B240000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919575165.0000019F6F5BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788474878.0000019F6B21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788298351.0000019F6D700000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1977336624.0000019F70F8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961763482.0000019F70F8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989853990.0000019F70F8F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1788864335.0000019F6B262000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788664558.0000019F6B240000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788474878.0000019F6B21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788298351.0000019F6D700000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.2011265772.0000019F70FA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2012659022.0000019F6FF0F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1993267496.0000019F6FF91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2993744896.00000254566CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2991523446.000001DA306E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2997549268.000001ACB3F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1985480942.0000019F7C4A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1864195419.0000019F6EAB9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2993744896.00000254566CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2991523446.000001DA306E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2997549268.000001ACB3F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000010.00000002.2991523446.000001DA3060A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2991524900.000001ACB3C0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1866846261.0000019F6E412000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896238872.0000019F6E418000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.2009834133.0000019F75F70000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1985480942.0000019F7C4A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1999664355.0000019F75B30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837173890.0000019F6FD0D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1996614685.0000019F6F2FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991671688.0000019F70020000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2991523446.000001DA306C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2991524900.000001ACB3CC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1896238872.0000019F6E418000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866954321.0000019F6E1B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1919992905.0000019F6F441000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1985480942.0000019F7C4A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1853799187.0000019F76938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951320621.0000019F769A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960878459.0000019F769A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1986860996.0000019F75FFE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1997221509.0000019F6F290000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988907531.0000019F71459000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2010818898.0000019F7145D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949837893.0000019F7A6C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975477265.0000019F7A6C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959591479.0000019F7A6C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2991523446.000001DA30612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2991524900.000001ACB3C13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1955351143.0000019F75A24000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1986860996.0000019F75FD9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1867343572.0000019F6E1A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1981095300.0000019F70095000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1977336624.0000019F70F8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961763482.0000019F70F8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989853990.0000019F70F8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1979253027.0000019F70E7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977336624.0000019F70F8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961763482.0000019F70F8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989853990.0000019F70F8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1955351143.0000019F75A24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.2008395746.0000019F7A540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.2008395746.0000019F7A540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1986860996.0000019F75FD9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1833433555.0000019F759AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834209684.0000019F759B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910253870.0000019F75981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926775955.0000019F759A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919195414.0000019F75981000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1797082339.0000019F6D430000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908332451.0000019F6D42B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796731356.0000019F6D41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797291726.0000019F6D433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791718986.0000019F6D433000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1867343572.0000019F6E1A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1997392048.0000019F6F281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2013133582.0000019F6F281000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1977336624.0000019F70F9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961763482.0000019F70F9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989853990.0000019F70F9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2011437126.0000019F70F9C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1866846261.0000019F6E412000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896238872.0000019F6E418000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866954321.0000019F6E1B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1797082339.0000019F6D430000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908332451.0000019F6D42B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796731356.0000019F6D41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797291726.0000019F6D433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791718986.0000019F6D433000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1985480942.0000019F7C4A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2993744896.00000254566CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2991523446.000001DA306E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2997549268.000001ACB3F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1987859223.0000019F75B56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954188749.0000019F75BC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1987225444.0000019F75BE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1948639037.0000019F7B0B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1788298351.0000019F6D700000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1989352843.0000019F71265000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788864335.0000019F6B262000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1935698180.0000019F6F5BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789058793.0000019F6B283000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788664558.0000019F6B240000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919575165.0000019F6F5BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788474878.0000019F6B21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788298351.0000019F6D700000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1955351143.0000019F75A24000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2992189109.00000254561D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2995907428.000001DA30700000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2997151188.000001ACB3E40000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://vk.com/	firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1955351143.0000019F75A24000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1866846261.0000019F6E412000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896238872.0000019F6E418000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1797082339.0000019F6D430000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908332451.0000019F6D42B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796731356.0000019F6D41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797291726.0000019F6D433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791718986.0000019F6D433000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.186.142	youtube.com	United States	15169	GOOGLEUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540571
Start date and time:	2024-10-23 23:01:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@70/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.208.54.237, 52.13.186.250, 44.231.229.39, 2.22.61.59, 2.22.61.56, 142.250.185.238, 2.18.121.73, 2.18.121.79, 142.250.186.106, 142.250.185.234, 172.217.16.206
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
17:02:16	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.253.35
	https://www.jasper.ai/	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	https://email.sg.on24event.com/ls/click?upn=u001.7kf5QUY4LGF7Fzt7LGE4bbPPsSPtBC4KXSPVJqWhtiGKhz4oV3PFLo8UDeLKYv23KHw-2BibCQbosx-2BrYm8YSguIMuXvCpYeqDDvEw6xfy3Div01ANz8r2e-2FhGLQvDi-2Bsc6FaIlcwFy323lwaarteGjoXmAWZ77DlZFrOHhjmiQr0-3DAi8m_lHclm8QYORDEd2i1pY8iiMApMxjKNwDzndXGWMwL-2FVaDLkCrIb-2FgQKm-2FutG0KO72H4SwpKalRDTUzZfsGO863iRy8WKrdz16mk5ZOGquq7bqjhyuPTPBO-2B-2FobhNL-2Fiw0sbfNj7OSue-2FIppdS72L8KeReKi2sYygPTTUQ6FAZhpELqizFuVYiSYb7LJ3FcFAt7VFGjIc0LjDO04TCb7Kr3RXi3OZtFXZptudql-2F9FGONhK9uxyg17fFjiwf-2FcA9HXVgOgmHDjs4LDrNR-2BYyJF8UalpN336eGaZthgfCiWJNcRv5lq5bxuf1619fxrkzY38vtDNJAVjrDOY4sJJgNY5A-3D-3D	Get hash	malicious	Unknown	Browse	34.149.148.54
	mips.elf	Get hash	malicious	Unknown	Browse	32.160.66.222
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	spc.elf	Get hash	malicious	Unknown	Browse	56.229.156.120
	ppc.elf	Get hash	malicious	Unknown	Browse	56.12.6.239
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://us-west-2.protection.sophos.com/?d=paypal.com&u=aHR0cHM6Ly93d3cucGF5cGFsLmNvbS9pbnZvaWNlL3BheWVyVmlldy9kZXRhaWxzL0lOVjItN1BOUS02WFVHLTc3UlMtU0Q1Vj9sb2NhbGUueD1lbl9VUyZ2PTEmdXRtX3NvdXJjZT11bnAmdXRtX21lZGl1bT1lbWFpbCZ1dG1fY2FtcGFpZ249UlQwMDAyMzgmdXRtX3VucHRpZD0yYTIxNDZlZC05MTViLTExZWYtYjk2YS0wYjFkMGJkY2NlYzEmcHBpZD1SVDAwMDIzOCZjbmFjPVVTJnJzdGE9ZW5fVVMlMjhlbi1VUyUyOSZ1bnB0aWQ9MmEyMTQ2ZWQtOTE1Yi0xMWVmLWI5NmEtMGIxZDBiZGNjZWMxJmNhbGM9ZjUxNjgyMGM1Y2Q0MyZ1bnBfdHBjaWQ9aW52b2ljZS1idXllci1ub3RpZmljYXRpb24mcGFnZT1tYWluJTNBZW1haWwlM0FSVDAwMDIzOCZwZ3JwPW1haW4lM0FlbWFpbCZlPWNsJm1jaG49ZW0mcz1jaSZtYWlsPXN5cyZhcHBWZXJzaW9uPTEuMjg3LjEmdGVuYW50X25hbWU9Jnh0PTE0NTU4NSUyQzEzNDY0NCUyQzE1MDk0OCUyQzEwNDAzOCZsaW5rX3JlZj1kZXRhaWxzX2ludjItN3BucS02eHVnLTc3cnMtc2Q1dg==&i=NThlN2NjYzYyOTljZjkxNGY4YmM0YzBi&t=dXIwWlg3KytlTG1EdzlRZmkxVjlOckM2b1BrWkxObTBEQ2VISDhjSjlYOD0=&h=7a9b3afabb0e4580a0feb91870d6da56&s=AVNPUEhUT0NFTkNSWVBUSVbTVZ2wjOkEGkbXL4nPhMMvEuG2k7zc-XuVtIgw9mnjN_b0fgOlRWAR6l8XE0q2vkLElGkG2u7h4wINuzGWow1k	Get hash	malicious	Unknown	Browse	34.147.177.40
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm5.elf	Get hash	malicious	Unknown	Browse	51.180.254.38
FASTLYUS	http://molatoriism.icu	Get hash	malicious	HTMLPhisher	Browse	151.101.1.140
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/b%C2%ADr%C2%ADi%C2%ADa%C2%ADn%C2%ADs%C2%ADd%C2%ADr%C2%ADe%C2%ADn%C2%ADn%C2%ADa%C2%ADn%C2%ADm%C2%ADo%C2%AD.%C2%ADc%C2%ADo%C2%ADm%C2%AD.%C2%ADp%C2%ADl/ZsS8z/	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
	https://fromsmash.com/8A4OM5kRFs-et	Get hash	malicious	Unknown	Browse	151.101.0.238
	Play_VM.Now.matt.sibilo_Audio.wav...v.html	Get hash	malicious	HtmlDropper	Browse	151.101.194.137
	https://s.id/closingdocview67111111	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	Review_&_Aprove_Your_Next_Payroll39298.html	Get hash	malicious	Unknown	Browse	151.101.65.229
	ppc.elf	Get hash	malicious	Unknown	Browse	199.233.99.182
	https://dca13.z4.web.core.windows.net/werrx01USAHTML/?bcda=1-877-883-8072#	Get hash	malicious	TechSupportScam	Browse	151.101.2.137
ATGS-MMD-ASUS	https://email.sg.on24event.com/ls/click?upn=u001.7kf5QUY4LGF7Fzt7LGE4bbPPsSPtBC4KXSPVJqWhtiGKhz4oV3PFLo8UDeLKYv23KHw-2BibCQbosx-2BrYm8YSguIMuXvCpYeqDDvEw6xfy3Div01ANz8r2e-2FhGLQvDi-2Bsc6FaIlcwFy323lwaarteGjoXmAWZ77DlZFrOHhjmiQr0-3DAi8m_lHclm8QYORDEd2i1pY8iiMApMxjKNwDzndXGWMwL-2FVaDLkCrIb-2FgQKm-2FutG0KO72H4SwpKalRDTUzZfsGO863iRy8WKrdz16mk5ZOGquq7bqjhyuPTPBO-2B-2FobhNL-2Fiw0sbfNj7OSue-2FIppdS72L8KeReKi2sYygPTTUQ6FAZhpELqizFuVYiSYb7LJ3FcFAt7VFGjIc0LjDO04TCb7Kr3RXi3OZtFXZptudql-2F9FGONhK9uxyg17fFjiwf-2FcA9HXVgOgmHDjs4LDrNR-2BYyJF8UalpN336eGaZthgfCiWJNcRv5lq5bxuf1619fxrkzY38vtDNJAVjrDOY4sJJgNY5A-3D-3D	Get hash	malicious	Unknown	Browse	34.149.148.54
	mips.elf	Get hash	malicious	Unknown	Browse	32.160.66.222
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	spc.elf	Get hash	malicious	Unknown	Browse	56.229.156.120
	ppc.elf	Get hash	malicious	Unknown	Browse	56.12.6.239
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://us-west-2.protection.sophos.com/?d=paypal.com&u=aHR0cHM6Ly93d3cucGF5cGFsLmNvbS9pbnZvaWNlL3BheWVyVmlldy9kZXRhaWxzL0lOVjItN1BOUS02WFVHLTc3UlMtU0Q1Vj9sb2NhbGUueD1lbl9VUyZ2PTEmdXRtX3NvdXJjZT11bnAmdXRtX21lZGl1bT1lbWFpbCZ1dG1fY2FtcGFpZ249UlQwMDAyMzgmdXRtX3VucHRpZD0yYTIxNDZlZC05MTViLTExZWYtYjk2YS0wYjFkMGJkY2NlYzEmcHBpZD1SVDAwMDIzOCZjbmFjPVVTJnJzdGE9ZW5fVVMlMjhlbi1VUyUyOSZ1bnB0aWQ9MmEyMTQ2ZWQtOTE1Yi0xMWVmLWI5NmEtMGIxZDBiZGNjZWMxJmNhbGM9ZjUxNjgyMGM1Y2Q0MyZ1bnBfdHBjaWQ9aW52b2ljZS1idXllci1ub3RpZmljYXRpb24mcGFnZT1tYWluJTNBZW1haWwlM0FSVDAwMDIzOCZwZ3JwPW1haW4lM0FlbWFpbCZlPWNsJm1jaG49ZW0mcz1jaSZtYWlsPXN5cyZhcHBWZXJzaW9uPTEuMjg3LjEmdGVuYW50X25hbWU9Jnh0PTE0NTU4NSUyQzEzNDY0NCUyQzE1MDk0OCUyQzEwNDAzOCZsaW5rX3JlZj1kZXRhaWxzX2ludjItN3BucS02eHVnLTc3cnMtc2Q1dg==&i=NThlN2NjYzYyOTljZjkxNGY4YmM0YzBi&t=dXIwWlg3KytlTG1EdzlRZmkxVjlOckM2b1BrWkxObTBEQ2VISDhjSjlYOD0=&h=7a9b3afabb0e4580a0feb91870d6da56&s=AVNPUEhUT0NFTkNSWVBUSVbTVZ2wjOkEGkbXL4nPhMMvEuG2k7zc-XuVtIgw9mnjN_b0fgOlRWAR6l8XE0q2vkLElGkG2u7h4wINuzGWow1k	Get hash	malicious	Unknown	Browse	34.147.177.40
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm5.elf	Get hash	malicious	Unknown	Browse	51.180.254.38

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1a8fe094-ef80-4de2-9d30-5f01a2cf35e5.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1792257450126655
Encrypted:	false
SSDEEP:	192:jjMXb3AcbhbVbTbfbRbObtbyEl7n4rwJA6WnSrDtTUd/SkDrs:jYccNhnzFSJYrjBnSrDhUd/6
MD5:	5B8123B6B18A7434EBAF72874A895797
SHA1:	E80374E3CCAC6D10DF3900FB9A1D5F62A640C4A1
SHA-256:	05ADBEC4832CB0B8759B9393DDA8676C6225B122CA0B473E67D0771F3F958663
SHA-512:	1446E97A3A310AE7B5BCED40B3B056DE2E0603F25E87BBA9B6173DB60DC6D8DFF6091C6037F5884D1227A18979FFFB8033D5B251786F532C0A4FE2825F6A7C98
Malicious:	false
Preview:	{"type":"uninstall","id":"1a8fe094-ef80-4de2-9d30-5f01a2cf35e5","creationDate":"2024-10-23T22:11:03.380Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1a8fe094-ef80-4de2-9d30-5f01a2cf35e5.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1792257450126655
Encrypted:	false
SSDEEP:	192:jjMXb3AcbhbVbTbfbRbObtbyEl7n4rwJA6WnSrDtTUd/SkDrs:jYccNhnzFSJYrjBnSrDhUd/6
MD5:	5B8123B6B18A7434EBAF72874A895797
SHA1:	E80374E3CCAC6D10DF3900FB9A1D5F62A640C4A1
SHA-256:	05ADBEC4832CB0B8759B9393DDA8676C6225B122CA0B473E67D0771F3F958663
SHA-512:	1446E97A3A310AE7B5BCED40B3B056DE2E0603F25E87BBA9B6173DB60DC6D8DFF6091C6037F5884D1227A18979FFFB8033D5B251786F532C0A4FE2825F6A7C98
Malicious:	false
Preview:	{"type":"uninstall","id":"1a8fe094-ef80-4de2-9d30-5f01a2cf35e5","creationDate":"2024-10-23T22:11:03.380Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9318785227512585
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNM9E:8S+OfJQPUFpOdwNIOdYVjvYcXaNLDP8P
MD5:	5CF60F4AEE131F117B03EDABB275A744
SHA1:	31EFC253B3B2E2E526A536A3D9931E3196F43208
SHA-256:	E99F2A2CD8EA3A700544D4654D2CA693130BC9FEDC6B4C385728AA5E49FF2BCF
SHA-512:	06F32DDEF9B551AB44D171FA604C2FC6130381728D170EEBB9A91264AD71EFA6A01503DA63BC79F69DDA1F17D9051D9EA0F63ED79998B12E6E631284FA794F52
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9318785227512585
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNM9E:8S+OfJQPUFpOdwNIOdYVjvYcXaNLDP8P
MD5:	5CF60F4AEE131F117B03EDABB275A744
SHA1:	31EFC253B3B2E2E526A536A3D9931E3196F43208
SHA-256:	E99F2A2CD8EA3A700544D4654D2CA693130BC9FEDC6B4C385728AA5E49FF2BCF
SHA-512:	06F32DDEF9B551AB44D171FA604C2FC6130381728D170EEBB9A91264AD71EFA6A01503DA63BC79F69DDA1F17D9051D9EA0F63ED79998B12E6E631284FA794F52
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07333858257979299
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiE1X:DLhesh7Owd4+jiE1
MD5:	3D19952520ACF8B1E019F73475374026
SHA1:	D01813AD9A6C0524340B091C5E35AB33461A523C
SHA-256:	769C43B6BB756ABB4EF36FC10237B2FD1D9EC653A7D6025BA64A979B9875A59D
SHA-512:	82167454BDA355F333581FBFBF90363225DC0DFB913CDAD7F280C0B688E77B166A62342898FD1392188AE5377D6864F182170B30F9C4700A98F75F7F4AF1CF28
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035569227318798996
Encrypted:	false
SSDEEP:	3:GtlstFGhJC0am9oltlstFGhJC0amltL89//alEl:GtWtEhMyiltWtEhMy789XuM
MD5:	A78D9EAE079940CC743ED6119B0403A0
SHA1:	2B1E901329A20DBA4AC280C758B68B4FC1BDFDF1
SHA-256:	473CD0FD33E6E176DEA1361CE6DDA894D2DF482E2FFBB2B1E663C3DA0EF1928E
SHA-512:	DE1BADFAFCECF061A4117DF01CB604FBA2892B909D4C6CCAB093EE2758A86109B6B9EE12A98518D2C79E1953AA72FFD141F148216DC66566491FFD39849DA019
Malicious:	false
Preview:	..-.......................n...aT/d..o.z..'@K.v...-.......................n...aT/d..o.z..'@K.v.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03987623536549593
Encrypted:	false
SSDEEP:	3:Ol19JOGchylNxs4DiZ8m/liwl8rEXsxdwhml8XW3R2:KnJOwjs4Clll8dMhm93w
MD5:	CBC4899F5AE5E913CB42C7D011AEBE2D
SHA1:	65F24A537BD007F92AEB6AF4C7FBD75DF1242148
SHA-256:	363DFD3B190352373CC2D900503DA1A827B943DAD83C684E537B9E525AA9C266
SHA-512:	236F40B31F9EF5E1E23D30BE6FCE3A58FDD190916072D0B3C6ED8D89C2FB23DE5D524871BA2F11426959C7C12ABCA01E71463667C571D7A4C095DDBEB7A14FC9
Malicious:	false
Preview:	7....-..........T/d..o.z.+2g.Iy.........T/d..o.zn..a..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494140837112155
Encrypted:	false
SSDEEP:	192:+naRtLYbBp64hj4qyaaXp6K9CN7i5RfGNBw8daSl:7eOqLOuWcwh0
MD5:	01F93B99F3F975EF278D645E686F8274
SHA1:	683E5483A90B6380977EE51E26396AE7DBD833C1
SHA-256:	E10720B8AB0F4F0E2F06BB428FD991C314B392F897649DBB0E6413E479A16F58
SHA-512:	BCFC2205D10D47A55BB08CBAD332F85F341C641477EA013FBE418DEAE6CCADCB2F98E778C5E7E180A5FCA0D242B7B2729850E2F182230322C8C5C23C25A5EBEE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729721433);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729721433);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729721433);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172972

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494140837112155
Encrypted:	false
SSDEEP:	192:+naRtLYbBp64hj4qyaaXp6K9CN7i5RfGNBw8daSl:7eOqLOuWcwh0
MD5:	01F93B99F3F975EF278D645E686F8274
SHA1:	683E5483A90B6380977EE51E26396AE7DBD833C1
SHA-256:	E10720B8AB0F4F0E2F06BB428FD991C314B392F897649DBB0E6413E479A16F58
SHA-512:	BCFC2205D10D47A55BB08CBAD332F85F341C641477EA013FBE418DEAE6CCADCB2F98E778C5E7E180A5FCA0D242B7B2729850E2F182230322C8C5C23C25A5EBEE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729721433);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729721433);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729721433);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172972

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\ef088af3-85e9-4777-b52a-23cda8f75161 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.964715668927481
Encrypted:	false
SSDEEP:	12:YZFg2ou9ymJFvnWlIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:Yfou9ykySlCOlZGV1AQIWZcy6Z2d
MD5:	05F73321C951D91EB4C418283075B2B0
SHA1:	A7B86DA6A8BA08F32A1BBF15FF2BC5B8FF542416
SHA-256:	594F5962E1D3A3F4FA61F51EA45437CB7B851C7CF05B1C824BA528E8FE0F86D3
SHA-512:	1FAC5A6F2C61125F7BB007758D65B76D5B2A3F029E1ECCE54F6679AF1E47C9C89AED1D3EDEECF546BC207F6B2D188ED1053B8DDC969C03F255E1B86F2C017BD5
Malicious:	false
Preview:	{"type":"health","id":"ef088af3-85e9-4777-b52a-23cda8f75161","creationDate":"2024-10-23T22:11:04.034Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\ef088af3-85e9-4777-b52a-23cda8f75161.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.964715668927481
Encrypted:	false
SSDEEP:	12:YZFg2ou9ymJFvnWlIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:Yfou9ykySlCOlZGV1AQIWZcy6Z2d
MD5:	05F73321C951D91EB4C418283075B2B0
SHA1:	A7B86DA6A8BA08F32A1BBF15FF2BC5B8FF542416
SHA-256:	594F5962E1D3A3F4FA61F51EA45437CB7B851C7CF05B1C824BA528E8FE0F86D3
SHA-512:	1FAC5A6F2C61125F7BB007758D65B76D5B2A3F029E1ECCE54F6679AF1E47C9C89AED1D3EDEECF546BC207F6B2D188ED1053B8DDC969C03F255E1B86F2C017BD5
Malicious:	false
Preview:	{"type":"health","id":"ef088af3-85e9-4777-b52a-23cda8f75161","creationDate":"2024-10-23T22:11:04.034Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.325981155194447
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS3U50LXnIgD/pnxQwRlszT5sKt0Y3eHVQj6TUamhujJF6tOsIomNV8:GUpOxx2VnR6SY3eHTU4JF6tIquR4
MD5:	3BFAB4FAA32D4D470E79839C9745EC86
SHA1:	56F6ED59252B61CC1C866127D89997EFBDCD7A54
SHA-256:	3D02A8B4F8E0F46751F308700A61E6DD43E6C9D7415828AE5D75D95CD709F6A1
SHA-512:	50D30355631AEDA722AC6A3315734BD5186196D0DE1537AA15C6883A04BA65657FF7376C95F4B7C457B4F431DB76867D0D6404C1B1C33F0CF079172194EC0488
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a48dfeab-2ae4-4bda-8afa-7c78fc511ad3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729721438116,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P02792...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...10807,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.325981155194447
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS3U50LXnIgD/pnxQwRlszT5sKt0Y3eHVQj6TUamhujJF6tOsIomNV8:GUpOxx2VnR6SY3eHTU4JF6tIquR4
MD5:	3BFAB4FAA32D4D470E79839C9745EC86
SHA1:	56F6ED59252B61CC1C866127D89997EFBDCD7A54
SHA-256:	3D02A8B4F8E0F46751F308700A61E6DD43E6C9D7415828AE5D75D95CD709F6A1
SHA-512:	50D30355631AEDA722AC6A3315734BD5186196D0DE1537AA15C6883A04BA65657FF7376C95F4B7C457B4F431DB76867D0D6404C1B1C33F0CF079172194EC0488
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a48dfeab-2ae4-4bda-8afa-7c78fc511ad3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729721438116,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P02792...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...10807,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.325981155194447
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS3U50LXnIgD/pnxQwRlszT5sKt0Y3eHVQj6TUamhujJF6tOsIomNV8:GUpOxx2VnR6SY3eHTU4JF6tIquR4
MD5:	3BFAB4FAA32D4D470E79839C9745EC86
SHA1:	56F6ED59252B61CC1C866127D89997EFBDCD7A54
SHA-256:	3D02A8B4F8E0F46751F308700A61E6DD43E6C9D7415828AE5D75D95CD709F6A1
SHA-512:	50D30355631AEDA722AC6A3315734BD5186196D0DE1537AA15C6883A04BA65657FF7376C95F4B7C457B4F431DB76867D0D6404C1B1C33F0CF079172194EC0488
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a48dfeab-2ae4-4bda-8afa-7c78fc511ad3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729721438116,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P02792...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...10807,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033237776439363
Encrypted:	false
SSDEEP:	48:YrSAYe6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yceyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	DA2A788E67E8C9D88E818C6038926D8B
SHA1:	46FE0E2DFAE9B5A5E1084E7D80B5DA423916A63F
SHA-256:	FBA83D414A954505149D869BDD43704E4A9CC053E95813AE7D06191426CC579F
SHA-512:	3CD627322A86E26499F9E4EF3101018ADF5689E3467BC270D7107B0CC32006D3D26CB95EDAA3BC18E98A08014EA31A4FB5B8C9DB345D90A9DA90A262A962E8D2
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-23T22:10:21.667Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033237776439363
Encrypted:	false
SSDEEP:	48:YrSAYe6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yceyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	DA2A788E67E8C9D88E818C6038926D8B
SHA1:	46FE0E2DFAE9B5A5E1084E7D80B5DA423916A63F
SHA-256:	FBA83D414A954505149D869BDD43704E4A9CC053E95813AE7D06191426CC579F
SHA-512:	3CD627322A86E26499F9E4EF3101018ADF5689E3467BC270D7107B0CC32006D3D26CB95EDAA3BC18E98A08014EA31A4FB5B8C9DB345D90A9DA90A262A962E8D2
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-23T22:10:21.667Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584694528001064
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	af0d4ef07df3fe2fddee37bde65d8665
SHA1:	7b21db5575f73d8234ef3cfaa979a858cf49efb0
SHA256:	11a7e24adcc3b0b21da14a3a74c813596ca386d104d48a492a9c5ae44f2c2d12
SHA512:	53cea1d5fc1c98a2ede8c2287ef6b9fce88653a60b3c1e619273589d2e8e8d6454d6526adcfd6d483ed46f9c938a3a991a97bc31903ce0aae9d0fce7ef7de2f4
SSDEEP:	12288:8qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TU:8qDEvCTbMWu7rQYlBQcBiT6rprG8abU
TLSH:	38159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67196006 [Wed Oct 23 20:43:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F52BCEB7FC3h
jmp 00007F52BCEB78CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F52BCEB7AADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F52BCEB7A7Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F52BCEBA66Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F52BCEBA6B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F52BCEBA6A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	a131600a7d5d5669796a56684a181d95	False	0.3156398338607595	data	5.374005097464104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 23:02:11.365197897 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:11.365232944 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:11.376708031 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:11.382947922 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:11.382966042 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:12.009480953 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:12.009504080 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:12.012588978 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:12.048113108 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:12.048113108 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:12.048146963 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:12.048429012 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:12.050292015 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:13.795600891 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:13.795643091 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:13.796017885 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:13.797409058 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:13.797434092 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.092439890 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.092524052 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.103487968 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.105067015 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.105149984 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.116116047 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:14.122948885 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:14.123743057 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:14.123867035 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:14.129936934 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:14.363326073 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.363368988 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:14.363512993 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.364830017 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.364849091 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:14.594753981 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.594841003 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:14.594927073 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.596446037 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.596488953 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:14.654757977 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:14.654828072 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:14.657078028 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:14.657243013 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:14.657279968 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:14.667810917 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.668808937 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.677740097 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.677776098 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.682696104 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.687308073 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.687323093 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.687387943 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.687948942 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.689423084 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.718800068 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:14.768599987 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:14.961152077 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.961170912 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.962584019 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.964277983 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.964344025 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.969329119 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.969330072 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.969419956 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.969611883 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 23, 2024 23:02:14.969656944 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 23, 2024 23:02:14.988775015 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:14.988908052 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.993196011 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.993216038 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:14.993314028 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.993510008 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:14.993721008 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.993769884 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.993805885 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:14.993911982 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.995445967 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:14.995482922 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.225548029 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.230318069 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.237883091 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.237912893 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.238014936 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.238111019 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.238416910 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.238452911 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.252295017 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.252362967 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.254862070 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.254884005 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.272936106 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:15.287343979 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:15.292831898 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:15.336031914 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:15.336086988 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:15.336622953 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:15.338402987 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:15.338490009 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:15.338670015 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:15.347265005 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:15.347265959 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:15.597574949 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:15.603885889 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:15.610933065 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.612824917 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:15.619345903 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.622189999 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.626252890 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.626252890 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.626312971 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.626635075 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.626779079 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.627863884 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.635991096 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 23, 2024 23:02:15.636050940 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 23, 2024 23:02:15.636632919 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 23, 2024 23:02:15.636779070 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 23, 2024 23:02:15.636794090 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 23, 2024 23:02:15.685147047 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:15.685333967 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:15.690721989 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:15.690926075 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:15.692859888 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:15.692925930 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:15.693013906 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:15.693115950 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:15.698669910 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:15.698714018 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:15.878972054 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.878989935 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.881948948 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.886409044 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.886439085 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.886499882 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:15.886660099 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:15.896028996 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.042495966 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.042526007 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:16.044748068 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.046432018 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.046448946 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:16.256901979 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 23, 2024 23:02:16.256983995 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 23, 2024 23:02:16.259959936 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 23, 2024 23:02:16.260055065 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 23, 2024 23:02:16.260473967 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 23, 2024 23:02:16.262584925 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 23, 2024 23:02:16.262660980 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 23, 2024 23:02:16.262799025 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 23, 2024 23:02:16.263089895 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 23, 2024 23:02:16.291491032 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:16.291538000 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:16.345613956 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:16.345621109 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:16.598005056 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:16.604136944 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:16.657754898 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:16.657969952 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.663279057 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.663280010 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.663311005 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:16.663543940 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:16.663651943 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.663692951 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:16.670523882 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.670536995 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.671852112 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:16.671879053 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:16.723268032 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:16.784523010 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:16.953613043 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:16.959675074 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:17.089775085 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:17.132515907 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:17.291361094 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:17.291378975 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:17.291486025 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:17.296493053 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:17.296525955 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:17.296577930 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:17.296746016 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 23, 2024 23:02:17.297101021 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 23, 2024 23:02:17.301412106 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:17.307374954 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:17.375739098 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:17.381180048 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:17.428075075 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:17.486572027 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:17.500998974 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:17.549034119 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:20.672023058 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:20.926911116 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:20.927396059 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:20.945451975 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:20.945492983 CEST	443	49754	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:20.946260929 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:20.947782040 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:20.947802067 CEST	443	49754	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:20.974123955 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:21.584841967 CEST	443	49754	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:21.585522890 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:21.589328051 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:21.589328051 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:21.589342117 CEST	443	49754	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:21.589561939 CEST	443	49754	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:21.589620113 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:24.975548029 CEST	62518	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:24.975575924 CEST	443	62518	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:24.976131916 CEST	62519	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:24.976166010 CEST	443	62519	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:24.979459047 CEST	62518	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:24.980922937 CEST	62518	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:24.980941057 CEST	443	62518	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:24.981868029 CEST	62519	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:24.982244968 CEST	62519	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:24.982256889 CEST	443	62519	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:25.018234968 CEST	62520	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:25.018246889 CEST	443	62520	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:25.020323992 CEST	62520	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:25.021727085 CEST	62520	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:25.021740913 CEST	443	62520	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:25.031337023 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:25.036695004 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:25.158015013 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:25.169856071 CEST	62521	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:25.169883966 CEST	443	62521	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:25.169962883 CEST	62521	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:25.171446085 CEST	62521	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:25.171463966 CEST	443	62521	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:25.207887888 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:25.368424892 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:25.374464989 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:25.493756056 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:25.540020943 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:25.608104944 CEST	443	62519	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:25.608196974 CEST	62519	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:25.613949060 CEST	443	62518	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:25.614038944 CEST	62518	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:25.663405895 CEST	443	62520	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:25.663505077 CEST	62520	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:25.780004978 CEST	443	62521	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:25.780424118 CEST	62521	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:26.475815058 CEST	62519	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:26.475841045 CEST	443	62519	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:26.476814985 CEST	443	62519	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:26.488549948 CEST	62519	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:26.488626957 CEST	62519	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:26.488822937 CEST	443	62519	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:26.491029978 CEST	62518	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:26.491059065 CEST	443	62518	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:26.491139889 CEST	62518	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:26.491391897 CEST	443	62518	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:26.491620064 CEST	62523	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:26.491661072 CEST	443	62523	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:26.496146917 CEST	62519	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:26.496180058 CEST	62519	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:26.496206999 CEST	62518	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:26.496256113 CEST	62523	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:26.500750065 CEST	62523	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:26.500765085 CEST	443	62523	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:26.503082037 CEST	62520	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:26.503094912 CEST	443	62520	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:26.503159046 CEST	62520	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:26.503298044 CEST	62521	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:26.503309965 CEST	443	62521	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:26.503386021 CEST	62521	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:26.503535032 CEST	443	62521	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:26.503664017 CEST	443	62520	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:26.507091999 CEST	62521	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:26.507106066 CEST	62520	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:27.120723009 CEST	443	62523	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:27.120816946 CEST	62523	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:27.125477076 CEST	62523	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:27.125477076 CEST	62523	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:27.125488997 CEST	443	62523	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:27.125699997 CEST	443	62523	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:27.125772953 CEST	62523	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:27.200120926 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:27.201931953 CEST	62524	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.201975107 CEST	443	62524	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.202904940 CEST	62524	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.204214096 CEST	62524	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.204224110 CEST	443	62524	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.205601931 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:27.325651884 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:27.348001957 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:27.353477001 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:27.355830908 CEST	62525	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.355900049 CEST	443	62525	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.356832981 CEST	62525	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.357003927 CEST	62525	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.357039928 CEST	443	62525	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.376660109 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:27.443183899 CEST	62526	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.443233967 CEST	443	62526	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.444298029 CEST	62526	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.444504023 CEST	62526	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.444515944 CEST	443	62526	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.473356962 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:27.530284882 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:27.820094109 CEST	443	62524	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.821345091 CEST	62524	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.827358961 CEST	62524	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.827358961 CEST	62524	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.827377081 CEST	443	62524	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.827598095 CEST	443	62524	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.831357002 CEST	62524	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.972785950 CEST	443	62525	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.974709034 CEST	62525	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.984492064 CEST	62525	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:27.984517097 CEST	443	62525	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:27.985169888 CEST	443	62525	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:28.007813931 CEST	62525	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:28.007910967 CEST	62525	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:28.008363008 CEST	443	62525	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:28.008430004 CEST	62525	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:28.063121080 CEST	443	62526	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:28.063333988 CEST	62526	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:28.069236040 CEST	62526	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:28.069247961 CEST	443	62526	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:28.069470882 CEST	443	62526	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:28.071732044 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:28.073822021 CEST	62526	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:28.073956966 CEST	443	62526	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:28.074275970 CEST	62526	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:28.074284077 CEST	443	62526	34.120.208.123	192.168.2.4
Oct 23, 2024 23:02:28.077188969 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:28.079042912 CEST	62526	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:28.079042912 CEST	62526	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:28.079042912 CEST	62526	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:02:28.212328911 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:28.263010979 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:28.299314022 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:28.304692984 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:28.424192905 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:28.479216099 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:32.191008091 CEST	62527	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:32.191061020 CEST	443	62527	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:32.193615913 CEST	62527	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:32.195126057 CEST	62527	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:32.195142031 CEST	443	62527	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:32.818780899 CEST	443	62527	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:32.818922043 CEST	62527	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:32.824196100 CEST	62527	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:32.824206114 CEST	443	62527	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:32.824345112 CEST	62527	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:32.824404955 CEST	443	62527	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:32.824563980 CEST	62527	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:32.828434944 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:32.833782911 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:32.954813004 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:32.958568096 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:32.964554071 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:33.014250040 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:33.102868080 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:33.145797968 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:39.389682055 CEST	62528	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:39.389704943 CEST	443	62528	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:39.390089989 CEST	62528	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:39.390319109 CEST	62528	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:39.390333891 CEST	443	62528	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:39.404520035 CEST	62529	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:39.404552937 CEST	443	62529	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:39.405975103 CEST	62529	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:39.406107903 CEST	62529	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:39.406125069 CEST	443	62529	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:39.410115004 CEST	62530	443	192.168.2.4	151.101.129.91
Oct 23, 2024 23:02:39.410150051 CEST	443	62530	151.101.129.91	192.168.2.4
Oct 23, 2024 23:02:39.410240889 CEST	62531	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:39.410250902 CEST	443	62531	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:39.417519093 CEST	62530	443	192.168.2.4	151.101.129.91
Oct 23, 2024 23:02:39.417604923 CEST	62531	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:39.417659044 CEST	62530	443	192.168.2.4	151.101.129.91
Oct 23, 2024 23:02:39.417678118 CEST	443	62530	151.101.129.91	192.168.2.4
Oct 23, 2024 23:02:39.419018030 CEST	62531	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:39.419028997 CEST	443	62531	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:39.429429054 CEST	62532	443	192.168.2.4	35.201.103.21
Oct 23, 2024 23:02:39.429452896 CEST	443	62532	35.201.103.21	192.168.2.4
Oct 23, 2024 23:02:39.432213068 CEST	62532	443	192.168.2.4	35.201.103.21
Oct 23, 2024 23:02:39.433587074 CEST	62532	443	192.168.2.4	35.201.103.21
Oct 23, 2024 23:02:39.433602095 CEST	443	62532	35.201.103.21	192.168.2.4
Oct 23, 2024 23:02:39.999571085 CEST	443	62528	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:39.999645948 CEST	62528	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.002933979 CEST	62528	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.002938986 CEST	443	62528	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.003259897 CEST	443	62528	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.005716085 CEST	62528	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.005810022 CEST	62528	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.005888939 CEST	443	62528	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.005981922 CEST	62528	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.009710073 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:40.015151024 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:40.020664930 CEST	443	62529	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:40.020742893 CEST	62529	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.023536921 CEST	62529	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.023545027 CEST	443	62529	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:40.023816109 CEST	443	62531	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:40.023827076 CEST	443	62529	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:40.023828983 CEST	443	62531	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:40.024072886 CEST	62531	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:40.028321028 CEST	62529	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.028404951 CEST	62529	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.028606892 CEST	443	62529	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:40.029319048 CEST	62531	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:40.029330015 CEST	443	62531	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:40.029386997 CEST	62531	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:40.029508114 CEST	443	62531	35.190.72.216	192.168.2.4
Oct 23, 2024 23:02:40.029567957 CEST	62529	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.029572964 CEST	62531	443	192.168.2.4	35.190.72.216
Oct 23, 2024 23:02:40.037062883 CEST	443	62530	151.101.129.91	192.168.2.4
Oct 23, 2024 23:02:40.037084103 CEST	443	62530	151.101.129.91	192.168.2.4
Oct 23, 2024 23:02:40.037144899 CEST	62530	443	192.168.2.4	151.101.129.91
Oct 23, 2024 23:02:40.040209055 CEST	62530	443	192.168.2.4	151.101.129.91
Oct 23, 2024 23:02:40.040225983 CEST	443	62530	151.101.129.91	192.168.2.4
Oct 23, 2024 23:02:40.040637016 CEST	443	62530	151.101.129.91	192.168.2.4
Oct 23, 2024 23:02:40.042363882 CEST	62530	443	192.168.2.4	151.101.129.91
Oct 23, 2024 23:02:40.042435884 CEST	62530	443	192.168.2.4	151.101.129.91
Oct 23, 2024 23:02:40.042550087 CEST	443	62530	151.101.129.91	192.168.2.4
Oct 23, 2024 23:02:40.050199032 CEST	62530	443	192.168.2.4	151.101.129.91
Oct 23, 2024 23:02:40.050199032 CEST	62530	443	192.168.2.4	151.101.129.91
Oct 23, 2024 23:02:40.052496910 CEST	62533	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.052532911 CEST	443	62533	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.054954052 CEST	62534	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.054999113 CEST	443	62534	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.055706978 CEST	443	62532	35.201.103.21	192.168.2.4
Oct 23, 2024 23:02:40.056021929 CEST	62533	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.056036949 CEST	62534	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.056040049 CEST	62532	443	192.168.2.4	35.201.103.21
Oct 23, 2024 23:02:40.057971001 CEST	62533	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.057985067 CEST	443	62533	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.058069944 CEST	62534	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.058101892 CEST	443	62534	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.065180063 CEST	62535	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.065193892 CEST	443	62535	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.065258980 CEST	62532	443	192.168.2.4	35.201.103.21
Oct 23, 2024 23:02:40.065263987 CEST	443	62532	35.201.103.21	192.168.2.4
Oct 23, 2024 23:02:40.065340042 CEST	62532	443	192.168.2.4	35.201.103.21
Oct 23, 2024 23:02:40.065437078 CEST	443	62532	35.201.103.21	192.168.2.4
Oct 23, 2024 23:02:40.066334963 CEST	62532	443	192.168.2.4	35.201.103.21
Oct 23, 2024 23:02:40.066431999 CEST	62535	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.066431999 CEST	62535	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.066457033 CEST	443	62535	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.076999903 CEST	62536	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.077061892 CEST	443	62536	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:40.077910900 CEST	62536	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.077996016 CEST	62536	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.078016043 CEST	443	62536	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:40.297605991 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:40.300434113 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:40.306024075 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:40.341288090 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:40.425765991 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:40.474749088 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:40.893240929 CEST	443	62533	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.893345118 CEST	62533	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.895967960 CEST	62533	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.895976067 CEST	443	62533	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.896177053 CEST	443	62533	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.898767948 CEST	62533	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.898864031 CEST	62533	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.898885965 CEST	443	62533	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.900510073 CEST	443	62535	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.900697947 CEST	62533	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.900716066 CEST	62535	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.902225971 CEST	443	62534	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.904490948 CEST	62535	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.904495955 CEST	443	62535	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.904788971 CEST	443	62535	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.904853106 CEST	62534	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.908267021 CEST	62534	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.908298969 CEST	443	62534	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.908559084 CEST	443	62534	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.909280062 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:40.912187099 CEST	62535	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.912326097 CEST	62535	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.912328959 CEST	443	62535	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.912339926 CEST	443	62535	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.912996054 CEST	62535	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.913398027 CEST	62534	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.913495064 CEST	62534	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.913582087 CEST	443	62534	35.244.181.201	192.168.2.4
Oct 23, 2024 23:02:40.913695097 CEST	62534	443	192.168.2.4	35.244.181.201
Oct 23, 2024 23:02:40.914638042 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:40.920103073 CEST	443	62536	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:40.920201063 CEST	62536	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.924304008 CEST	62536	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.924329042 CEST	443	62536	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:40.924571991 CEST	443	62536	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:40.927772999 CEST	62536	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.927830935 CEST	62536	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:40.927906036 CEST	443	62536	34.149.100.209	192.168.2.4
Oct 23, 2024 23:02:40.928977966 CEST	62536	443	192.168.2.4	34.149.100.209
Oct 23, 2024 23:02:41.034483910 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:41.037591934 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:41.043040991 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:41.074696064 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:41.162853956 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:41.228439093 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:42.917211056 CEST	62538	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:42.917254925 CEST	443	62538	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:42.917874098 CEST	62538	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:42.919157982 CEST	62538	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:42.919169903 CEST	443	62538	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:43.535656929 CEST	443	62538	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:43.538079977 CEST	62538	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:43.542047977 CEST	62538	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:43.542053938 CEST	443	62538	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:43.542145967 CEST	62538	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:43.542211056 CEST	443	62538	34.107.243.93	192.168.2.4
Oct 23, 2024 23:02:43.542753935 CEST	62538	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:02:43.545042038 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:43.550848007 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:43.670238018 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:43.673686981 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:43.679395914 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:43.713568926 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:43.800925016 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:43.851623058 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:53.243144035 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:53.248816967 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:53.369153023 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:53.373112917 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:53.379354954 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:53.425293922 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:02:53.498632908 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:02:53.541069984 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:03.384684086 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:03.390543938 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:03.500507116 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:03.505939960 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:03.566632032 CEST	62566	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:03.566653967 CEST	443	62566	34.107.243.93	192.168.2.4
Oct 23, 2024 23:03:03.566879034 CEST	62566	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:03.568125963 CEST	62566	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:03.568144083 CEST	443	62566	34.107.243.93	192.168.2.4
Oct 23, 2024 23:03:04.177915096 CEST	443	62566	34.107.243.93	192.168.2.4
Oct 23, 2024 23:03:04.181068897 CEST	62566	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:04.184652090 CEST	62566	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:04.184668064 CEST	443	62566	34.107.243.93	192.168.2.4
Oct 23, 2024 23:03:04.184740067 CEST	62566	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:04.184786081 CEST	443	62566	34.107.243.93	192.168.2.4
Oct 23, 2024 23:03:04.187195063 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:04.187798023 CEST	62566	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:04.192543983 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:04.495847940 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:04.499157906 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:04.504834890 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:04.541136026 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:04.624974012 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:04.672662973 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:09.920738935 CEST	62597	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:09.920821905 CEST	443	62597	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:09.920893908 CEST	62598	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:09.920912027 CEST	443	62598	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:09.921432018 CEST	62597	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:09.921612024 CEST	62598	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:09.921621084 CEST	62597	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:09.921657085 CEST	443	62597	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:09.921808004 CEST	62598	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:09.921819925 CEST	443	62598	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:09.933427095 CEST	62599	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:09.933509111 CEST	443	62599	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:09.937488079 CEST	62599	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:09.937488079 CEST	62599	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:09.937643051 CEST	443	62599	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.529733896 CEST	443	62597	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.529987097 CEST	62597	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.532545090 CEST	443	62598	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.532737970 CEST	62598	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.533014059 CEST	62597	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.533068895 CEST	443	62597	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.533416986 CEST	443	62597	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.535195112 CEST	62598	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.535216093 CEST	443	62598	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.535446882 CEST	443	62598	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.538853884 CEST	62597	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.539079905 CEST	443	62597	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.539222002 CEST	62597	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.539253950 CEST	443	62597	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.539294004 CEST	62598	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.539386034 CEST	62598	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.539453983 CEST	443	62598	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.542511940 CEST	62598	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.542512894 CEST	62597	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.542551994 CEST	62598	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.542560101 CEST	62597	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.542561054 CEST	62597	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.566939116 CEST	443	62599	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.567035913 CEST	62599	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.569927931 CEST	62599	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.569945097 CEST	443	62599	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.570350885 CEST	443	62599	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.572690964 CEST	62599	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.572813034 CEST	62599	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.572881937 CEST	443	62599	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.572957993 CEST	62599	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.606008053 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:10.611356974 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:10.633696079 CEST	62603	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.633733988 CEST	443	62603	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.636595964 CEST	62603	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.636744022 CEST	62603	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.636758089 CEST	443	62603	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.640894890 CEST	62604	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.640914917 CEST	443	62604	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.641030073 CEST	62605	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.641119957 CEST	443	62605	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.641505957 CEST	62604	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.641525030 CEST	62605	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.641664028 CEST	62604	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.641684055 CEST	443	62604	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.641758919 CEST	62605	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.641793966 CEST	443	62605	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.670667887 CEST	62606	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.670676947 CEST	443	62606	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.671753883 CEST	62606	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.671976089 CEST	62606	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:10.671986103 CEST	443	62606	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:10.731112003 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:10.789936066 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:10.795310020 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:10.800730944 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:10.924623013 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:10.979118109 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:11.256352901 CEST	443	62603	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.256468058 CEST	62603	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.257982969 CEST	443	62604	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.258476973 CEST	443	62605	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.260818958 CEST	62603	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.260827065 CEST	443	62603	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.261048079 CEST	443	62603	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.261280060 CEST	62604	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.263344049 CEST	443	62605	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.263355017 CEST	62605	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.264561892 CEST	62604	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.264576912 CEST	443	62604	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.264760017 CEST	62605	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.264806032 CEST	443	62604	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.268301010 CEST	62605	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.268321991 CEST	443	62605	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.268696070 CEST	443	62605	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.270874023 CEST	62603	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.271003962 CEST	443	62603	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.271039963 CEST	62603	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.271044970 CEST	443	62603	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.272464037 CEST	62603	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.272675037 CEST	62604	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.272770882 CEST	62604	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.272828102 CEST	443	62604	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.273849010 CEST	62605	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.273940086 CEST	62605	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.274234056 CEST	443	62605	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.275863886 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:11.276120901 CEST	62604	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.278574944 CEST	62605	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.279608965 CEST	443	62606	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.279694080 CEST	62606	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.281943083 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:11.282099962 CEST	62606	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.282110929 CEST	443	62606	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.282464981 CEST	443	62606	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.284138918 CEST	62606	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.284225941 CEST	62606	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.284327984 CEST	443	62606	34.120.208.123	192.168.2.4
Oct 23, 2024 23:03:11.284404039 CEST	62606	443	192.168.2.4	34.120.208.123
Oct 23, 2024 23:03:11.401240110 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:11.403944969 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:11.409446001 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:11.441906929 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:11.529380083 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:11.573302984 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:21.402015924 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:21.407785892 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:21.533591986 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:21.539685965 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:31.414999962 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:31.420591116 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:31.546539068 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:31.552002907 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:41.427509069 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:41.433317900 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:41.558928013 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:41.564388990 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:44.197829962 CEST	62726	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:44.197921991 CEST	443	62726	34.107.243.93	192.168.2.4
Oct 23, 2024 23:03:44.198021889 CEST	62726	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:44.199461937 CEST	62726	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:44.199501991 CEST	443	62726	34.107.243.93	192.168.2.4
Oct 23, 2024 23:03:44.820242882 CEST	443	62726	34.107.243.93	192.168.2.4
Oct 23, 2024 23:03:44.820341110 CEST	62726	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:44.827156067 CEST	62726	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:44.827184916 CEST	443	62726	34.107.243.93	192.168.2.4
Oct 23, 2024 23:03:44.827284098 CEST	62726	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:44.827481985 CEST	443	62726	34.107.243.93	192.168.2.4
Oct 23, 2024 23:03:44.827697992 CEST	62726	443	192.168.2.4	34.107.243.93
Oct 23, 2024 23:03:44.829967022 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:44.835601091 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:44.955178976 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:44.958740950 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:44.964291096 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:44.999460936 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:45.083983898 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:45.137459040 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:54.965017080 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:54.971251965 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:03:55.095902920 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:03:55.102420092 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 23, 2024 23:04:04.977725983 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:04:04.983428955 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 23, 2024 23:04:05.109292984 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 23, 2024 23:04:05.114824057 CEST	80	49748	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 23:02:11.371422052 CEST	53840	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:11.380038977 CEST	53	53840	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:11.381701946 CEST	51372	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:11.389983892 CEST	53	51372	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:13.783396006 CEST	64683	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:13.791573048 CEST	53	64683	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:13.795923948 CEST	56500	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:13.804089069 CEST	53	56500	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:13.807216883 CEST	65027	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:13.815054893 CEST	53	65027	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:14.067487955 CEST	61990	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.083811998 CEST	55526	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.091886997 CEST	53	55526	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:14.106462955 CEST	49175	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.115153074 CEST	53	49175	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:14.353997946 CEST	58803	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.362431049 CEST	53	58803	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:14.363558054 CEST	52568	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.372183084 CEST	53	52568	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:14.376775026 CEST	61455	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.384644985 CEST	53	61455	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:14.582396984 CEST	56746	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.592406034 CEST	53	56746	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:14.594940901 CEST	60468	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.602616072 CEST	53	60468	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:14.604336023 CEST	62843	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.613224983 CEST	53	62843	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:14.654963970 CEST	56582	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.662476063 CEST	53	56582	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:14.690819025 CEST	55757	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:14.700823069 CEST	53	55757	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:15.587552071 CEST	55554	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:15.589946985 CEST	64851	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:15.598875999 CEST	53	55554	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:15.601985931 CEST	60350	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:15.603579998 CEST	53	64851	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:15.610025883 CEST	53	60350	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:15.636533976 CEST	60522	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:15.644932985 CEST	53	60522	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:15.648958921 CEST	57456	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:15.658164978 CEST	53	57456	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:15.666333914 CEST	54303	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:15.806720018 CEST	52380	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:15.843182087 CEST	53	52107	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:20.553715944 CEST	56763	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:20.555104017 CEST	55327	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:20.926965952 CEST	53	56763	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:20.927073956 CEST	53	55327	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:20.944425106 CEST	57203	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:20.945775986 CEST	51172	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:20.946696043 CEST	62113	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:20.951966047 CEST	53	57203	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:20.952910900 CEST	61408	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:20.953594923 CEST	53	51172	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:20.954729080 CEST	53	62113	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:20.954775095 CEST	58120	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:20.960659981 CEST	53	61408	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:20.960865021 CEST	58779	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:20.963196993 CEST	53	58120	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:20.969321012 CEST	53	58779	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:24.645591021 CEST	62552	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:24.653821945 CEST	53	62552	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:24.654644012 CEST	53392	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:24.662985086 CEST	53	53392	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:24.669358015 CEST	57440	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:24.677440882 CEST	53	57440	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:24.971393108 CEST	53	62552	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:24.983279943 CEST	62802	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:24.990804911 CEST	53	62802	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:24.992927074 CEST	51611	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:25.001003981 CEST	53	51611	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:25.018671036 CEST	53444	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:25.026766062 CEST	53	53444	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:25.162280083 CEST	63288	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:25.171000004 CEST	53	63288	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:31.502218008 CEST	54965	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:31.502523899 CEST	58353	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:31.504909039 CEST	52279	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:31.509880066 CEST	53	58353	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:31.510196924 CEST	53	54965	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:31.513283968 CEST	53	52279	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.186634064 CEST	54609	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.187704086 CEST	62060	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.188460112 CEST	49847	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.194366932 CEST	53	54609	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.195067883 CEST	53	62060	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.196024895 CEST	65215	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.196705103 CEST	65263	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.198342085 CEST	53	49847	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.199019909 CEST	63247	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.203835964 CEST	53	65215	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.204406023 CEST	51946	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.206078053 CEST	53	65263	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.206610918 CEST	54476	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.207866907 CEST	53	63247	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.208781004 CEST	49325	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.211947918 CEST	53	51946	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.214806080 CEST	53	54476	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.215611935 CEST	59031	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.215648890 CEST	53351	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.216207981 CEST	53	49325	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.223762989 CEST	53	59031	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.224252939 CEST	49939	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.224555969 CEST	53	53351	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.231666088 CEST	53	49939	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:32.270894051 CEST	56921	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:32.278740883 CEST	53	56921	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:39.390757084 CEST	59295	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:39.398415089 CEST	53	59295	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:39.400527954 CEST	50862	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:39.408206940 CEST	53	50862	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:39.410839081 CEST	53442	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:39.416954041 CEST	55083	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:39.419372082 CEST	53	53442	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:39.420644999 CEST	51999	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:39.424674034 CEST	53	55083	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:39.429248095 CEST	53	51999	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:39.429914951 CEST	63241	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:39.437731981 CEST	53	63241	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:39.439610004 CEST	56129	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:39.449086905 CEST	53	56129	1.1.1.1	192.168.2.4
Oct 23, 2024 23:02:42.917340040 CEST	54090	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:02:42.925756931 CEST	53	54090	1.1.1.1	192.168.2.4
Oct 23, 2024 23:03:03.557585955 CEST	62967	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:03:03.565342903 CEST	53	62967	1.1.1.1	192.168.2.4
Oct 23, 2024 23:03:03.565819025 CEST	62344	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:03:03.573225021 CEST	53	62344	1.1.1.1	192.168.2.4
Oct 23, 2024 23:03:04.187546968 CEST	52735	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:03:09.935610056 CEST	59557	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:03:09.943161011 CEST	53	59557	1.1.1.1	192.168.2.4
Oct 23, 2024 23:03:10.606118917 CEST	63150	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:03:44.188266039 CEST	56957	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:03:44.196661949 CEST	53	56957	1.1.1.1	192.168.2.4
Oct 23, 2024 23:03:44.197702885 CEST	63963	53	192.168.2.4	1.1.1.1
Oct 23, 2024 23:03:44.205101013 CEST	53	63963	1.1.1.1	192.168.2.4
Oct 23, 2024 23:03:44.830213070 CEST	62274	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 23, 2024 23:02:11.371422052 CEST	192.168.2.4	1.1.1.1	0x13b8	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:11.381701946 CEST	192.168.2.4	1.1.1.1	0xdfa3	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 23:02:13.783396006 CEST	192.168.2.4	1.1.1.1	0xf179	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:13.795923948 CEST	192.168.2.4	1.1.1.1	0xc9a5	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:13.807216883 CEST	192.168.2.4	1.1.1.1	0x2ce8	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:14.067487955 CEST	192.168.2.4	1.1.1.1	0x9890	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.083811998 CEST	192.168.2.4	1.1.1.1	0xb770	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.106462955 CEST	192.168.2.4	1.1.1.1	0xc1aa	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 23:02:14.353997946 CEST	192.168.2.4	1.1.1.1	0x4990	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.363558054 CEST	192.168.2.4	1.1.1.1	0x46e1	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.376775026 CEST	192.168.2.4	1.1.1.1	0x60a	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:14.582396984 CEST	192.168.2.4	1.1.1.1	0xe65f	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.594940901 CEST	192.168.2.4	1.1.1.1	0x4a49	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.604336023 CEST	192.168.2.4	1.1.1.1	0xf650	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 23:02:14.654963970 CEST	192.168.2.4	1.1.1.1	0xe7d6	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.690819025 CEST	192.168.2.4	1.1.1.1	0xcb49	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 23:02:15.587552071 CEST	192.168.2.4	1.1.1.1	0xe68f	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.589946985 CEST	192.168.2.4	1.1.1.1	0x6cfa	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.601985931 CEST	192.168.2.4	1.1.1.1	0xd71a	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.636533976 CEST	192.168.2.4	1.1.1.1	0xc205	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.648958921 CEST	192.168.2.4	1.1.1.1	0x3255	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 23:02:15.666333914 CEST	192.168.2.4	1.1.1.1	0xf66e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.806720018 CEST	192.168.2.4	1.1.1.1	0x2946	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.553715944 CEST	192.168.2.4	1.1.1.1	0x1d53	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.555104017 CEST	192.168.2.4	1.1.1.1	0xfedd	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.944425106 CEST	192.168.2.4	1.1.1.1	0xf1e5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.945775986 CEST	192.168.2.4	1.1.1.1	0x678d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.946696043 CEST	192.168.2.4	1.1.1.1	0xa749	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.952910900 CEST	192.168.2.4	1.1.1.1	0x5688	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:20.954775095 CEST	192.168.2.4	1.1.1.1	0x4062	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:20.960865021 CEST	192.168.2.4	1.1.1.1	0x6625	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 23:02:24.645591021 CEST	192.168.2.4	1.1.1.1	0x28d2	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:24.654644012 CEST	192.168.2.4	1.1.1.1	0x3c14	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:24.669358015 CEST	192.168.2.4	1.1.1.1	0x61de	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 23:02:24.983279943 CEST	192.168.2.4	1.1.1.1	0x4b5a	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:24.992927074 CEST	192.168.2.4	1.1.1.1	0xaf8e	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 23:02:25.018671036 CEST	192.168.2.4	1.1.1.1	0x521a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:25.162280083 CEST	192.168.2.4	1.1.1.1	0xac04	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:31.502218008 CEST	192.168.2.4	1.1.1.1	0x828	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.502523899 CEST	192.168.2.4	1.1.1.1	0xa4f8	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.504909039 CEST	192.168.2.4	1.1.1.1	0x35a6	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.186634064 CEST	192.168.2.4	1.1.1.1	0x96e4	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.187704086 CEST	192.168.2.4	1.1.1.1	0xc322	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.188460112 CEST	192.168.2.4	1.1.1.1	0xbdfb	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.196024895 CEST	192.168.2.4	1.1.1.1	0x15c	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:32.196705103 CEST	192.168.2.4	1.1.1.1	0xcb59	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 23, 2024 23:02:32.199019909 CEST	192.168.2.4	1.1.1.1	0xb500	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:32.204406023 CEST	192.168.2.4	1.1.1.1	0xdc2f	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.206610918 CEST	192.168.2.4	1.1.1.1	0xcb3d	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.208781004 CEST	192.168.2.4	1.1.1.1	0xb3f1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:32.215611935 CEST	192.168.2.4	1.1.1.1	0xf0d4	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.215648890 CEST	192.168.2.4	1.1.1.1	0x7c72	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.224252939 CEST	192.168.2.4	1.1.1.1	0x741d	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:32.270894051 CEST	192.168.2.4	1.1.1.1	0x2d9d	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 23, 2024 23:02:39.390757084 CEST	192.168.2.4	1.1.1.1	0xf5dd	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 23:02:39.400527954 CEST	192.168.2.4	1.1.1.1	0xa12c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.410839081 CEST	192.168.2.4	1.1.1.1	0x6b7	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.416954041 CEST	192.168.2.4	1.1.1.1	0x3d03	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.420644999 CEST	192.168.2.4	1.1.1.1	0xc737	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 23, 2024 23:02:39.429914951 CEST	192.168.2.4	1.1.1.1	0x6d9d	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.439610004 CEST	192.168.2.4	1.1.1.1	0xede	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:02:42.917340040 CEST	192.168.2.4	1.1.1.1	0xd3ab	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:03:03.557585955 CEST	192.168.2.4	1.1.1.1	0x4d54	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:03:03.565819025 CEST	192.168.2.4	1.1.1.1	0x19be	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:03:04.187546968 CEST	192.168.2.4	1.1.1.1	0x5139	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:03:09.935610056 CEST	192.168.2.4	1.1.1.1	0x8d99	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:03:10.606118917 CEST	192.168.2.4	1.1.1.1	0x4eb4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:03:44.188266039 CEST	192.168.2.4	1.1.1.1	0xd6d6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:03:44.197702885 CEST	192.168.2.4	1.1.1.1	0xd429	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 23:03:44.830213070 CEST	192.168.2.4	1.1.1.1	0x216b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 23, 2024 23:02:11.354537964 CEST	1.1.1.1	192.168.2.4	0x842e	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:11.380038977 CEST	1.1.1.1	192.168.2.4	0x13b8	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:13.791573048 CEST	1.1.1.1	192.168.2.4	0xf179	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:13.804089069 CEST	1.1.1.1	192.168.2.4	0xc9a5	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:13.815054893 CEST	1.1.1.1	192.168.2.4	0x2ce8	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 23, 2024 23:02:14.074961901 CEST	1.1.1.1	192.168.2.4	0x9890	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:14.074961901 CEST	1.1.1.1	192.168.2.4	0x9890	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.091886997 CEST	1.1.1.1	192.168.2.4	0xb770	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.115153074 CEST	1.1.1.1	192.168.2.4	0xc1aa	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 23, 2024 23:02:14.362431049 CEST	1.1.1.1	192.168.2.4	0x4990	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.372183084 CEST	1.1.1.1	192.168.2.4	0x46e1	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.592406034 CEST	1.1.1.1	192.168.2.4	0xe65f	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:14.592406034 CEST	1.1.1.1	192.168.2.4	0xe65f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.602616072 CEST	1.1.1.1	192.168.2.4	0x4a49	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.653207064 CEST	1.1.1.1	192.168.2.4	0x7e91	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:14.653207064 CEST	1.1.1.1	192.168.2.4	0x7e91	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:14.662476063 CEST	1.1.1.1	192.168.2.4	0xe7d6	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.598875999 CEST	1.1.1.1	192.168.2.4	0xe68f	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.603579998 CEST	1.1.1.1	192.168.2.4	0x6cfa	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.603579998 CEST	1.1.1.1	192.168.2.4	0x6cfa	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.610025883 CEST	1.1.1.1	192.168.2.4	0xd71a	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:15.610025883 CEST	1.1.1.1	192.168.2.4	0xd71a	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:15.610025883 CEST	1.1.1.1	192.168.2.4	0xd71a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.644932985 CEST	1.1.1.1	192.168.2.4	0xc205	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.658164978 CEST	1.1.1.1	192.168.2.4	0x3255	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 23, 2024 23:02:15.674649954 CEST	1.1.1.1	192.168.2.4	0xf66e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:15.674649954 CEST	1.1.1.1	192.168.2.4	0xf66e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:15.814975977 CEST	1.1.1.1	192.168.2.4	0x2946	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:20.926965952 CEST	1.1.1.1	192.168.2.4	0x1d53	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.927043915 CEST	1.1.1.1	192.168.2.4	0xc516	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.927073956 CEST	1.1.1.1	192.168.2.4	0xfedd	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:20.927073956 CEST	1.1.1.1	192.168.2.4	0xfedd	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:20.927073956 CEST	1.1.1.1	192.168.2.4	0xfedd	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.951966047 CEST	1.1.1.1	192.168.2.4	0xf1e5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.953594923 CEST	1.1.1.1	192.168.2.4	0x678d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:20.954729080 CEST	1.1.1.1	192.168.2.4	0xa749	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:24.652626038 CEST	1.1.1.1	192.168.2.4	0x19c0	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:24.652626038 CEST	1.1.1.1	192.168.2.4	0x19c0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:24.653821945 CEST	1.1.1.1	192.168.2.4	0x28d2	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:24.653821945 CEST	1.1.1.1	192.168.2.4	0x28d2	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:24.662985086 CEST	1.1.1.1	192.168.2.4	0x3c14	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:24.990804911 CEST	1.1.1.1	192.168.2.4	0x4b5a	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:25.169059992 CEST	1.1.1.1	192.168.2.4	0x63c4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.509880066 CEST	1.1.1.1	192.168.2.4	0xa4f8	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:31.509880066 CEST	1.1.1.1	192.168.2.4	0xa4f8	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.510196924 CEST	1.1.1.1	192.168.2.4	0x828	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:31.513283968 CEST	1.1.1.1	192.168.2.4	0x35a6	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:31.513283968 CEST	1.1.1.1	192.168.2.4	0x35a6	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.194366932 CEST	1.1.1.1	192.168.2.4	0x96e4	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.195067883 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.198342085 CEST	1.1.1.1	192.168.2.4	0xbdfb	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.203835964 CEST	1.1.1.1	192.168.2.4	0x15c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 23, 2024 23:02:32.203835964 CEST	1.1.1.1	192.168.2.4	0x15c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 23, 2024 23:02:32.203835964 CEST	1.1.1.1	192.168.2.4	0x15c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 23, 2024 23:02:32.203835964 CEST	1.1.1.1	192.168.2.4	0x15c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 23, 2024 23:02:32.206078053 CEST	1.1.1.1	192.168.2.4	0xcb59	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 23, 2024 23:02:32.207866907 CEST	1.1.1.1	192.168.2.4	0xb500	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 23, 2024 23:02:32.211947918 CEST	1.1.1.1	192.168.2.4	0xdc2f	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:32.211947918 CEST	1.1.1.1	192.168.2.4	0xdc2f	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.211947918 CEST	1.1.1.1	192.168.2.4	0xdc2f	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.211947918 CEST	1.1.1.1	192.168.2.4	0xdc2f	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.211947918 CEST	1.1.1.1	192.168.2.4	0xdc2f	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.214806080 CEST	1.1.1.1	192.168.2.4	0xcb3d	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.223762989 CEST	1.1.1.1	192.168.2.4	0xf0d4	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.224555969 CEST	1.1.1.1	192.168.2.4	0x7c72	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.224555969 CEST	1.1.1.1	192.168.2.4	0x7c72	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.224555969 CEST	1.1.1.1	192.168.2.4	0x7c72	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:32.224555969 CEST	1.1.1.1	192.168.2.4	0x7c72	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.388745070 CEST	1.1.1.1	192.168.2.4	0xa68	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:39.388745070 CEST	1.1.1.1	192.168.2.4	0xa68	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.408206940 CEST	1.1.1.1	192.168.2.4	0xa12c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.408206940 CEST	1.1.1.1	192.168.2.4	0xa12c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.408206940 CEST	1.1.1.1	192.168.2.4	0xa12c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.408206940 CEST	1.1.1.1	192.168.2.4	0xa12c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.419372082 CEST	1.1.1.1	192.168.2.4	0x6b7	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.419372082 CEST	1.1.1.1	192.168.2.4	0x6b7	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.419372082 CEST	1.1.1.1	192.168.2.4	0x6b7	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.419372082 CEST	1.1.1.1	192.168.2.4	0x6b7	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.424674034 CEST	1.1.1.1	192.168.2.4	0x3d03	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:39.424674034 CEST	1.1.1.1	192.168.2.4	0x3d03	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:39.437731981 CEST	1.1.1.1	192.168.2.4	0x6d9d	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:02:40.918718100 CEST	1.1.1.1	192.168.2.4	0x3af6	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:02:40.918718100 CEST	1.1.1.1	192.168.2.4	0x3af6	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:03:03.565342903 CEST	1.1.1.1	192.168.2.4	0x4d54	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:03:04.195461035 CEST	1.1.1.1	192.168.2.4	0x5139	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:03:04.195461035 CEST	1.1.1.1	192.168.2.4	0x5139	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:03:09.927850962 CEST	1.1.1.1	192.168.2.4	0x4439	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:03:10.614078045 CEST	1.1.1.1	192.168.2.4	0x4eb4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:03:10.614078045 CEST	1.1.1.1	192.168.2.4	0x4eb4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:03:44.196661949 CEST	1.1.1.1	192.168.2.4	0xd6d6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 23:03:44.839121103 CEST	1.1.1.1	192.168.2.4	0x216b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 23:03:44.839121103 CEST	1.1.1.1	192.168.2.4	0x216b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7048	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 23:02:14.123867035 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:14.718800068 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29557 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49748	34.107.221.82	80	7048	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 23:02:15.693013906 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:16.291491032 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29311 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:16.598005056 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:16.723268032 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29311 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:17.301412106 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:17.428075075 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29312 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:20.672023058 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:20.927396059 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29315 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:25.368424892 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:25.493756056 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29320 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:27.348001957 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:27.473356962 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29322 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:28.299314022 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:28.424192905 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29323 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:32.958568096 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:33.102868080 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29328 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:40.300434113 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:40.425765991 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29335 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:41.037591934 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:41.162853956 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29336 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:43.673686981 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:43.800925016 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29338 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:02:53.373112917 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:02:53.498632908 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29348 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:03:03.500507116 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 23:03:04.499157906 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:03:04.624974012 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29359 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:03:10.795310020 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:03:10.924623013 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29365 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:03:11.403944969 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:03:11.529380083 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29366 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:03:21.533591986 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 23:03:31.546539068 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 23:03:41.558928013 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 23:03:44.958740950 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 23:03:45.083983898 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 12:53:45 GMT Age: 29400 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 23:03:55.095902920 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 23:04:05.109292984 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	7048	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 23:02:15.693115950 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:16.291538000 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29559 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:02:16.953613043 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:17.089775085 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29560 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:02:17.375739098 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:17.500998974 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29560 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:02:25.031337023 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:25.158015013 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29568 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:02:27.200120926 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:27.325651884 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29570 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:02:28.071732044 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:28.212328911 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29571 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:02:32.828434944 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:32.954813004 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29575 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:02:40.009710073 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:40.297605991 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29583 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:02:40.909280062 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:41.034483910 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29583 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:02:43.545042038 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:43.670238018 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29586 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:02:53.243144035 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:02:53.369153023 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29596 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:03:03.384684086 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 23:03:04.187195063 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:03:04.495847940 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29607 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:03:10.606008053 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:03:10.731112003 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29613 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:03:11.275863886 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:03:11.401240110 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29614 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:03:21.402015924 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 23:03:31.414999962 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 23:03:41.427509069 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 23:03:44.829967022 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 23:03:44.955178976 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 12:49:37 GMT Age: 29647 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 23:03:54.965017080 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 23:04:04.977725983 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	17:02:04
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xc30000
File size:	919'552 bytes
MD5 hash:	AF0D4EF07DF3FE2FDDEE37BDE65D8665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:02:04
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x800000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:02:04
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:02:07
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x800000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:02:07
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:02:07
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x800000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:02:07
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:02:07
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x800000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:02:07
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:02:07
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x800000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:02:07
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:02:07
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:02:08
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:02:08
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	17:02:08
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62211066-fcf4-4010-9dd2-8db042710cef} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f5db70b10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	17:02:11
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4108 -prefMapHandle 4104 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c7d6957-7151-45d2-b5b6-8f2ec3916663} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f6fd1fd10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	17:02:20
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5188 -prefMapHandle 5184 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {646331cb-5b0f-4d7b-bbca-1ef13fcf4349} 7048 "\\.\pipe\gecko-crash-server-pipe.7048" 19f7c525510 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1550
Total number of Limit Nodes:	53

Executed Functions

Function 00C342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C3430D

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

GetCurrentProcess.KERNEL32(?,00CCCB64,00000000,?,?), ref: 00C34422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C34429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C34454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C34466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C34474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C3447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C344A0

Strings

kernel32.dll, xrefs: 00C3444F
GetNativeSystemInfo, xrefs: 00C34460
|O, xrefs: 00C736F8

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: e99ce3213e31a652347b9b2e52db3a465358aa31dcb7024bfa0f076c42720e2e
Instruction ID: 735e60f12776dfe48aa85a3d2873f0e681cb51c8ce1b61875bcaa080f5d79fef
Opcode Fuzzy Hash: e99ce3213e31a652347b9b2e52db3a465358aa31dcb7024bfa0f076c42720e2e
Instruction Fuzzy Hash: 26A1A47AD1A3C0DFC719C769BC817D97FA47B26300F0898A9E09DD3B62D2215A09DB71

Function 00C342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C350AA,?,?,00000000,00000000), ref: 00C342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C350AA,?,?,00000000,00000000), ref: 00C342C9
LoadResource.KERNEL32(?,00000000,?,?,00C350AA,?,?,00000000,00000000,?,?,?,?,?,?,00C34F20), ref: 00C735BE
SizeofResource.KERNEL32(?,00000000,?,?,00C350AA,?,?,00000000,00000000,?,?,?,?,?,?,00C34F20), ref: 00C735D3
LockResource.KERNEL32(00C350AA,?,?,00C350AA,?,?,00000000,00000000,?,?,?,?,?,?,00C34F20,?), ref: 00C735E6

Strings

SCRIPT, xrefs: 00C342BF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7e246927e26e87ddabdc2c9c1c49b060c9bf0991c829bf4393f212f9dae419c5
Instruction ID: 2932bd104e78bd29f779b6e19936e6ae439fd58477e2b648d6e955f7d8d3f6b2
Opcode Fuzzy Hash: 7e246927e26e87ddabdc2c9c1c49b060c9bf0991c829bf4393f212f9dae419c5
Instruction Fuzzy Hash: 9A118E70200700BFD7258BA6DC88F2B7BBDEBC6B51F14816DF426D6690DB72ED008A20

Function 00C72BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C32B6B

Part of subcall function 00C33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D01418,?,00C32E7F,?,?,?,00000000), ref: 00C33A78

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00CF2224), ref: 00C72C10
ShellExecuteW.SHELL32(00000000,?,?,00CF2224), ref: 00C72C17

Strings

runas, xrefs: 00C72C0B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 840cd12071b8e27125002b1bd331755c37fa101540cbb879ba120b39bb6561a4
Instruction ID: 9f371c98f823d5522bd49791f65b7823b28afaa9f9f75dd67ca2f9cd18a172ce
Opcode Fuzzy Hash: 840cd12071b8e27125002b1bd331755c37fa101540cbb879ba120b39bb6561a4
Instruction Fuzzy Hash: 6F11B1312183856BCB14FF60E891EBEB7A49B91310F04542DF29A520B2CF708A0AE722

Function 00C9D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C9D501
Process32FirstW.KERNEL32(00000000,?), ref: 00C9D50F
Process32NextW.KERNEL32(00000000,?), ref: 00C9D52F
CloseHandle.KERNELBASE(00000000), ref: 00C9D5DC

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 06372ad45933dd9d24f9cfaab10d6f074b73128d9825dcdc279c2c081c53126a
Instruction ID: f716459127c4553baf9d9a6afd47d2a7e43e7637e5c4b3b2ae3c2f3eba911b34
Opcode Fuzzy Hash: 06372ad45933dd9d24f9cfaab10d6f074b73128d9825dcdc279c2c081c53126a
Instruction Fuzzy Hash: 5931BC711083009FD300EF64D885BAFBBE8EF99354F14092DF586961A1EB719A48DBA3

Function 00C9DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00C75222), ref: 00C9DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00C9DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00C9DBEE
FindClose.KERNEL32(00000000), ref: 00C9DBFA

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 5e58f9e0c8dbc6112a44dc0cf54e7613a158b1a14e175eb1e3b2a912af1707e7
Instruction ID: 0b076411fb5ce06d5bd6343dbaf4359215452905bc7c5ef4bbf3089911293c05
Opcode Fuzzy Hash: 5e58f9e0c8dbc6112a44dc0cf54e7613a158b1a14e175eb1e3b2a912af1707e7
Instruction Fuzzy Hash: 8EF0A030810910978B206B78EC4DAAE776C9F01334B144702F83AD20F0EBB05A568695

Function 00C54CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00C628E9,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002,00000000,?,00C628E9), ref: 00C54D09
TerminateProcess.KERNEL32(00000000,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002,00000000,?,00C628E9), ref: 00C54D10
ExitProcess.KERNEL32 ref: 00C54D22

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6c14b3ce3aee39ed185d9b2a51043ff09086083f27518ce7d3ee3336eddca176
Instruction ID: 7c6e6fd7ad27d7b7157c01d2580c13f58b3ef5e62b94ec03858d9c3b90ed123f
Opcode Fuzzy Hash: 6c14b3ce3aee39ed185d9b2a51043ff09086083f27518ce7d3ee3336eddca176
Instruction Fuzzy Hash: E1E0B675400188ABCF25AF54EE49F9C3B79FB41796B144018FC198B132CB3ADE86DA94

Function 00CBAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00CBB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB1D4
_wcslen.LIBCMT ref: 00CBB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB236
_wcslen.LIBCMT ref: 00CBB332

Part of subcall function 00CA05A7: GetStdHandle.KERNEL32(000000F6), ref: 00CA05C6

_wcslen.LIBCMT ref: 00CBB34B
_wcslen.LIBCMT ref: 00CBB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CBB3B6
GetLastError.KERNEL32(00000000), ref: 00CBB407
CloseHandle.KERNEL32(?), ref: 00CBB439
CloseHandle.KERNEL32(00000000), ref: 00CBB44A
CloseHandle.KERNEL32(00000000), ref: 00CBB45C
CloseHandle.KERNEL32(00000000), ref: 00CBB46E
CloseHandle.KERNEL32(?), ref: 00CBB4E3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c3b227c095627e8e8b73faecfa95324caa17b94ed12b310e26948b04c874dd02
Instruction ID: 764804eedb8b75574647d9dbe96810da4fbe025ce630d920a83398ce2427dd64
Opcode Fuzzy Hash: c3b227c095627e8e8b73faecfa95324caa17b94ed12b310e26948b04c874dd02
Instruction Fuzzy Hash: B2F1BD715083009FCB24EF24C891BAEBBE4BF85314F18855DF8999B2A2CB71ED45DB52

Function 00C3D733 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C3D807
timeGetTime.WINMM ref: 00C3DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3DB28
TranslateMessage.USER32(?), ref: 00C3DB7B
DispatchMessageW.USER32(?), ref: 00C3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3DB9F
Sleep.KERNELBASE(0000000A), ref: 00C3DBB1

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: a343900cdd5c8aa00fc4f6b37a38832f2bb0fd8053f2e10b95248c1a8b9bd963
Instruction ID: 90d503ca4c915d2c92b69e371459e52c1f8be8f608a814ab46cd46a7847826ec
Opcode Fuzzy Hash: a343900cdd5c8aa00fc4f6b37a38832f2bb0fd8053f2e10b95248c1a8b9bd963
Instruction Fuzzy Hash: FF420130618341EFD728DF25D888BAAB7E0FF45308F14865DF86A87291DB70E944DB96

Function 00C32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C32D07
RegisterClassExW.USER32(00000030), ref: 00C32D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C32D42
InitCommonControlsEx.COMCTL32(?), ref: 00C32D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C32D6F
LoadIconW.USER32(000000A9), ref: 00C32D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C32D94

Strings

AutoIt v3 GUI, xrefs: 00C32D23
0, xrefs: 00C32CE9
+, xrefs: 00C32CF0
TaskbarCreated, xrefs: 00C32D37

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 71fe56a2c9e6efffdee01bbd5cd3afd1b56664f760baf18342c5e95f6ad27a89
Instruction ID: f7d95c39be0f1cc37131f6811e5533272f1ca9b2219ef3b53a4f533aab4236cf
Opcode Fuzzy Hash: 71fe56a2c9e6efffdee01bbd5cd3afd1b56664f760baf18342c5e95f6ad27a89
Instruction Fuzzy Hash: D721BFB9D01319AFDB00DFA4E889B9DBBB4FB08700F00811AF629E62A0D7B155448FA1

Function 00C7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C7039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C70704,?,?,00000000,?,00C70704,00000000,0000000C), ref: 00C703B7

GetLastError.KERNEL32 ref: 00C7076F
__dosmaperr.LIBCMT ref: 00C70776
GetFileType.KERNELBASE(00000000), ref: 00C70782
GetLastError.KERNEL32 ref: 00C7078C
__dosmaperr.LIBCMT ref: 00C70795
CloseHandle.KERNEL32(00000000), ref: 00C707B5
CloseHandle.KERNEL32(?), ref: 00C708FF
GetLastError.KERNEL32 ref: 00C70931
__dosmaperr.LIBCMT ref: 00C70938

Strings

H, xrefs: 00C708BD

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: bb099bd509f247e5e607b6a561516d3224893e4a978f0073fc62923e7db35644
Instruction ID: 7c7e232e29bff517f8a1a6a5ed39a3f706298944b0ba2344acc0677d991804c0
Opcode Fuzzy Hash: bb099bd509f247e5e607b6a561516d3224893e4a978f0073fc62923e7db35644
Instruction Fuzzy Hash: 2EA12732A101459FDF19AF68DC91BAD3FA0AB06320F24815DF829DB3E1DB319913DB91

Function 00C3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D01418,?,00C32E7F,?,?,?,00000000), ref: 00C33A78

Part of subcall function 00C33357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C33379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C3356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C7318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C731CE
RegCloseKey.ADVAPI32(?), ref: 00C73210
_wcslen.LIBCMT ref: 00C73277
_wcslen.LIBCMT ref: 00C73286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00C33560
\, xrefs: 00C7328C
\Include\, xrefs: 00C33527
Include, xrefs: 00C73184, 00C731C5

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: d3d09ccc3adcdc05706112d8ec15be4331833de8115ce0f79d51bec249792c59
Instruction ID: 0358262abbc254bf28e73dc01d6824fc5d291f9687e33d7d36fa4c182396cc0c
Opcode Fuzzy Hash: d3d09ccc3adcdc05706112d8ec15be4331833de8115ce0f79d51bec249792c59
Instruction Fuzzy Hash: F471A2714153009FC304EF65EC89AABBBE8FF85340F40482EF559D32A1EB749A48DB62

Function 00C32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C32B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C32B9D
LoadIconW.USER32(00000063), ref: 00C32BB3
LoadIconW.USER32(000000A4), ref: 00C32BC5
LoadIconW.USER32(000000A2), ref: 00C32BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C32BEF
RegisterClassExW.USER32(?), ref: 00C32C40

Part of subcall function 00C32CD4: GetSysColorBrush.USER32(0000000F), ref: 00C32D07
Part of subcall function 00C32CD4: RegisterClassExW.USER32(00000030), ref: 00C32D31
Part of subcall function 00C32CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C32D42
Part of subcall function 00C32CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C32D5F
Part of subcall function 00C32CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C32D6F
Part of subcall function 00C32CD4: LoadIconW.USER32(000000A9), ref: 00C32D85
Part of subcall function 00C32CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C32D94

Strings

AutoIt v3, xrefs: 00C32C2F
0, xrefs: 00C32C0F
#, xrefs: 00C32C16

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e2bd600e2e940dbf201883e7af636b4333cb459542763f4d63b86837287f7c5c
Instruction ID: 9a38c9ba3d53cfeec348f9e5543ee111ad5f512fd4cd82805cc37a862c5663d0
Opcode Fuzzy Hash: e2bd600e2e940dbf201883e7af636b4333cb459542763f4d63b86837287f7c5c
Instruction Fuzzy Hash: 8921D579E10318ABDB109FA5EC99BAD7FB4FB48B50F04401AE508E67A0D7B155409FA4

Function 00C33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C3316A,?,?), ref: 00C331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C3316A,?,?), ref: 00C33204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C33227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C3316A,?,?), ref: 00C33232
CreatePopupMenu.USER32 ref: 00C33246
PostQuitMessage.USER32(00000000), ref: 00C33267

Strings

TaskbarCreated, xrefs: 00C3322D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8e469f1b93b81f1cc7df425d4434d731c689f77c0a0e94d508b43587fbbcbcc4
Instruction ID: ce6f94aef016d6e5f7f273c122c7caa293c3c1206c87dcc7ac83fdd1fbf7e251
Opcode Fuzzy Hash: 8e469f1b93b81f1cc7df425d4434d731c689f77c0a0e94d508b43587fbbcbcc4
Instruction Fuzzy Hash: 77412639620284ABDF251B79DD4DB7E3A19E705340F044125F92EC62E2CBB28F40ABB1

Function 00C31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C31459
CoUninitialize.COMBASE ref: 00C314F8
UnregisterHotKey.USER32(?), ref: 00C316DD
DestroyWindow.USER32(?), ref: 00C724B9
FreeLibrary.KERNEL32(?), ref: 00C7251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C7254B

Strings

close all, xrefs: 00C31454

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 92884fb5099667539e80b6a4e920392536a7706d1f240c33cc25e07c931d7048
Instruction ID: 9cf0c8f5377bc63eb6f7354cb086f44a8dd2b1279a77ea4962b7229fdecfca2f
Opcode Fuzzy Hash: 92884fb5099667539e80b6a4e920392536a7706d1f240c33cc25e07c931d7048
Instruction Fuzzy Hash: 19D15B31711212CFCB29EF55C899B29F7A4FF05700F1882ADE84AAB252DB31AD12DF51

Function 00C32C63 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C32C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C32CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C31CAD,?), ref: 00C32CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C31CAD,?), ref: 00C32CCF

Strings

edit, xrefs: 00C32CAC
AutoIt v3, xrefs: 00C32C89, 00C32C8E, 00C32C8F
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00C32C84

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{$edit
API String ID: 1584632944-3899645675
Opcode ID: bd8cec21f6c8deed86727e2c3818ceba6b982519d378b676cefd26d4edf32bf0
Instruction ID: c5d2e6bab984e717502194177473c599c8f4c220562c069d3a13c933789c81ce
Opcode Fuzzy Hash: bd8cec21f6c8deed86727e2c3818ceba6b982519d378b676cefd26d4edf32bf0
Instruction Fuzzy Hash: 97F0DA799403907AEB311757AC48F772EBDD7C6F50B00105EF908E26A0C6711851DAB0

Function 00C33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C33B0F,SwapMouseButtons,00000004,?), ref: 00C33B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C33B0F,SwapMouseButtons,00000004,?), ref: 00C33B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C33B0F,SwapMouseButtons,00000004,?), ref: 00C33B83

Strings

Control Panel\Mouse, xrefs: 00C33B3E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 73952bd38b7dcb88b79d678f8a55387b4645c9b62ccb18ad6f592b61d5fe06b1
Instruction ID: 0882784734fc72b81c76355f88aed65b23b41758b65075f15101ca3648a9fb24
Opcode Fuzzy Hash: 73952bd38b7dcb88b79d678f8a55387b4645c9b62ccb18ad6f592b61d5fe06b1
Instruction Fuzzy Hash: AA112AB5520248FFDB208FA5DC84EAEB7B8EF04748F104459E805D7110D2319F409B60

Function 00C33923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C733A2

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C33A04

Strings

Line: , xrefs: 00C733EB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 458680ec9395c3c2080be3a026bd0f8440f344ae0cca9098b905f08b8acfcebb
Instruction ID: 5d40d666e3fcc6fa60bf0e765532201d384e8d3f7814dc5a7c1f1cd4c2eb3109
Opcode Fuzzy Hash: 458680ec9395c3c2080be3a026bd0f8440f344ae0cca9098b905f08b8acfcebb
Instruction Fuzzy Hash: 0131C171418340AAC325EB20DC45BEFB7E8AB84714F00852EF599821E1EB709B49DBD2

Function 00C4FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C50668

Part of subcall function 00C532A4: RaiseException.KERNEL32(?,?,?,00C5068A,?,00D01444,?,?,?,?,?,?,00C5068A,00C31129,00CF8738,00C31129), ref: 00C53304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C50685

Strings

Unknown exception, xrefs: 00C50692

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 6b56f81f7e2a24300503a2930415fbd19f9a5589e07144a5ef05dd3a5179d3a5
Instruction ID: 6b919a4c303beb018ada57cf174b888b5d3bbd7d2450aeaa66846eec9fffd720
Opcode Fuzzy Hash: 6b56f81f7e2a24300503a2930415fbd19f9a5589e07144a5ef05dd3a5179d3a5
Instruction Fuzzy Hash: B0F0223890060DB3CB00BAA4DC46D9E7B6CAE00341BB04435BD24C2492EF71DBEED599

Function 00C310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C31BF4
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C31BFC
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C31C07
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C31C12
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C31C1A
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C31C22

Part of subcall function 00C31B4A: RegisterWindowMessageW.USER32(00000004,?,00C312C4), ref: 00C31BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C3136A
OleInitialize.OLE32 ref: 00C31388
CloseHandle.KERNEL32(00000000,00000000), ref: 00C724AB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ca7926c4f22a4bf1dac6928b829150591e015a1e95452afd0d36b54887d73dfd
Instruction ID: 3cf9490ebfea8de65ca9471e7bc9bce5ece33b5c89e131024ab6a74bab6ec25b
Opcode Fuzzy Hash: ca7926c4f22a4bf1dac6928b829150591e015a1e95452afd0d36b54887d73dfd
Instruction Fuzzy Hash: 9C718ABC9113019EC784DF7AAC897593AF0BB89354B58822EE44EDB3B1EB3085459F71

Function 00C9C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C33A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C9C259
KillTimer.USER32(?,00000001,?,?), ref: 00C9C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C9C270

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 1f82a1b4fd277b05dea6cbd24d7a47873ad5fc2c529ed630830f50b0e169faa3
Instruction ID: 3b78bac83e255a4b3434001ad09584715a8a16695edf1c937dd9e8480c7b0f67
Opcode Fuzzy Hash: 1f82a1b4fd277b05dea6cbd24d7a47873ad5fc2c529ed630830f50b0e169faa3
Instruction Fuzzy Hash: 7D319370904784AFEF22DF64C899BEBBBEC9B06708F00449ED5EE97241C7745A84CB51

Function 00C686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00C685CC,?,00CF8CC8,0000000C), ref: 00C68704
GetLastError.KERNEL32(?,00C685CC,?,00CF8CC8,0000000C), ref: 00C6870E
__dosmaperr.LIBCMT ref: 00C68739

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 6989a8c2aff293666310c2e436b98c496be797f5fd0b25ca90e3f5ccbd978f33
Instruction ID: 7c4e3df73079335e492fbd0af7cc833cff3b82475c1ce25901c4cfdf609fe129
Opcode Fuzzy Hash: 6989a8c2aff293666310c2e436b98c496be797f5fd0b25ca90e3f5ccbd978f33
Instruction Fuzzy Hash: 6B014E3260566026D6346334E8C5B7E6B494F81B74F390329F928CB2E2DEA0CD859150

Function 00C3DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00C3DB7B
DispatchMessageW.USER32(?), ref: 00C3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3DB9F
Sleep.KERNELBASE(0000000A), ref: 00C3DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00C81CC9

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 420c9ceb867e927fcf8da199dcd443de112778e2423b27d6b2fc0ca2c1b9af0d
Instruction ID: 48d9706eb0c40e089740d4ffece54dcd865037bd9059194a10d5eaae31bb4c95
Opcode Fuzzy Hash: 420c9ceb867e927fcf8da199dcd443de112778e2423b27d6b2fc0ca2c1b9af0d
Instruction Fuzzy Hash: 13F05E306443409BE730DB60DC89FAA73ACEB44314F104A18E61EC30C0DB30A5889B65

Function 00C41310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C417F6

Strings

CALL, xrefs: 00C417C6

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 366474faa585c393d4eff42c98501414ba6ded74857e032e288030b76d7546fb
Instruction ID: e84db23be68193771d4e04e856f25223f69ba5bc61c69c972cc9755d8295ac40
Opcode Fuzzy Hash: 366474faa585c393d4eff42c98501414ba6ded74857e032e288030b76d7546fb
Instruction Fuzzy Hash: C022AB706083019FC714DF15C494B6ABBF1BF89314F28891DF89A8B3A2D731E985DB92

Function 00C32DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C72C8C

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

Part of subcall function 00C32DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C32DC4

Strings

X, xrefs: 00C72C5A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: d6d57009b060001b61a6ae365a303a715f87eb6aff7eaef31711347bbf12d72a
Instruction ID: bcdca90430af8a34268f17aec8935caff1b5e841026d7edfe2c9c23584f50771
Opcode Fuzzy Hash: d6d57009b060001b61a6ae365a303a715f87eb6aff7eaef31711347bbf12d72a
Instruction Fuzzy Hash: CC21D270A1029C9FDF41EF94C849BEEBBFCAF48305F008059E509B7241DBB45A899FA1

Function 00C33837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C33908

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ae45493e529aa30547de099e3e11624cac3708f21219bfad271bad27f2d9aecf
Instruction ID: e8a11559fcc8aef1b55d0ab46117393beb9b56f588eb586c1c797b3fe7c032c2
Opcode Fuzzy Hash: ae45493e529aa30547de099e3e11624cac3708f21219bfad271bad27f2d9aecf
Instruction Fuzzy Hash: 32318E745043419FD720DF24D88479BBBE8FB49709F00092EF9A9C7290E771AA44CBA2

Function 00C4F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C4F661

Part of subcall function 00C3D733: GetInputState.USER32 ref: 00C3D807

Sleep.KERNEL32(00000000), ref: 00C8F2DE

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d06cfcc824781df9fcc0b31a8ef33fb3f6a9e2443459bbb7671a1c0710f59655
Instruction ID: 07040fccac770656a33a0df154e1a3a36e815b1fa575684bcee9410b5bd17d24
Opcode Fuzzy Hash: d06cfcc824781df9fcc0b31a8ef33fb3f6a9e2443459bbb7671a1c0710f59655
Instruction Fuzzy Hash: B8F01C312506059FD314EF69D489F6AB7E8FF45761F004029F95EC7261DB70AC10DB95

Function 00C34ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C34E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E9C
Part of subcall function 00C34E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C34EAE
Part of subcall function 00C34E90: FreeLibrary.KERNEL32(00000000,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34EFD

Part of subcall function 00C34E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E62
Part of subcall function 00C34E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C34E74
Part of subcall function 00C34E59: FreeLibrary.KERNEL32(00000000,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E87

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: de118b66e17bc8a12fb07eb573d9e1dc450bfb6b7e958a74abb2528a66a8d53b
Instruction ID: 79e8c94271a4caebaea300239b24ca26f05f695f6931ba23e76072c994be5d87
Opcode Fuzzy Hash: de118b66e17bc8a12fb07eb573d9e1dc450bfb6b7e958a74abb2528a66a8d53b
Instruction Fuzzy Hash: EB112332620205ABCB28ABA4DC02FAD77A5AF44710F24842DF442A61C1EE70AA05AB50

Function 00C68402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C68440

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ad1a886cbdf7280e26a8147bfc85148efc80012277b4c88d607086ce3502584b
Instruction ID: dbb4bfbc9a09e035e859005549b0db9e25852cc56613225d979aa22141bec158
Opcode Fuzzy Hash: ad1a886cbdf7280e26a8147bfc85148efc80012277b4c88d607086ce3502584b
Instruction Fuzzy Hash: C311487190420AAFCB15DF58E980AAE7BF4EF48300F104199F808AB312DA30DA15CBA4

Function 00C65000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C64C7D: RtlAllocateHeap.NTDLL(00000008,00C31129,00000000,?,00C62E29,00000001,00000364,?,?,?,00C5F2DE,00C63863,00D01444,?,00C4FDF5,?), ref: 00C64CBE

_free.LIBCMT ref: 00C6506C

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 08101cae97ae96cd05ebfbd944812e6cd50af9d69471a282f1dfa4c162725794
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B60122722047056BE3318F69D8C1A9AFBE8FB89370F25062DE194832C0EB30A905C6B4

Function 00C5E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 298ac76e29bd10556a0c875ddc01be64290c3cdbea06ae39ece58ffed8f3941b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2DF02D3A510E18DAC7353A66CC05B5A33999F523B3F100715FC21931D2CF70D68E96AD

Function 00C64C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00C31129,00000000,?,00C62E29,00000001,00000364,?,?,?,00C5F2DE,00C63863,00D01444,?,00C4FDF5,?), ref: 00C64CBE

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c1c6db7a9a1d6dd2d6e1d24d46d90ffb20ead237f6b3f0c94e97a1e7fc4744f1
Instruction ID: d23469c14266665ac4f83bd5e2d355e599012b64730c7f4212b3674b97487f02
Opcode Fuzzy Hash: c1c6db7a9a1d6dd2d6e1d24d46d90ffb20ead237f6b3f0c94e97a1e7fc4744f1
Instruction Fuzzy Hash: 2FF0E93560222477DB3D5F6BDC89F5A3788BF817A1B144115FC2AE6380CA70D94196E0

Function 00C63820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 96e5101c272eb2028911ff564849914448923605b28798be7d39f02f874271bd
Instruction ID: f15fcec1ef92262f062ed04772435d7b79a3a008f44987703a5709522eaf1581
Opcode Fuzzy Hash: 96e5101c272eb2028911ff564849914448923605b28798be7d39f02f874271bd
Instruction Fuzzy Hash: D1E0E5351002A456E73126A79C45BDA3749EF467B5F050122FC25975C1CB10DF4292F4

Function 00C34F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34F6D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: cf4ab712b9ff7a6e3a9683f522e4c29e59ee8090e517790d45f426556ce40ebb
Instruction ID: d84696e4c494f76403167ca6f9f38d763c1cbc352e7cb0602cfd444d2c728107
Opcode Fuzzy Hash: cf4ab712b9ff7a6e3a9683f522e4c29e59ee8090e517790d45f426556ce40ebb
Instruction Fuzzy Hash: 75F03071115751CFDB389FA5D490916B7E4EF1831971889BEE1EA82611C731A944DF10

Function 00CC2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CC2A66

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: ebda74c7b0b1aad9cea7abc1f0399db6b03cae6e071911a7728576278d64dfb2
Instruction ID: e74fecf658acc4fdf4f344eb5b92444d3f61241e2ff78813e4775ee5ef58a0ac
Opcode Fuzzy Hash: ebda74c7b0b1aad9cea7abc1f0399db6b03cae6e071911a7728576278d64dfb2
Instruction Fuzzy Hash: 97E08C36354116AACB14EB35EC84EFEB35CEF50395B10453AFC2AC2140EB309A96B6E0

Function 00C330F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C3314E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3966a68749f3ca2dba2939ec85b2a64cdafb83a73bedf0c2654aa899823d2c7b
Instruction ID: 47a18f57a873438baafaea262bed57cbd30ffc521994cb7f3bed1f5e001decef
Opcode Fuzzy Hash: 3966a68749f3ca2dba2939ec85b2a64cdafb83a73bedf0c2654aa899823d2c7b
Instruction Fuzzy Hash: 02F037749143549FE752DB64DC497D97BFCA701708F0040E9A54CD6291D7745788CF61

Function 00C32DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C32DC4

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fb4797b6f514a124e720344f625ba852134f1bc2ad872e2e5e1a24bb99a5bd41
Instruction ID: 1747035774fff61c3d044b7dac4f5db8134608731676e3d9ca5f25c52e4d59b1
Opcode Fuzzy Hash: fb4797b6f514a124e720344f625ba852134f1bc2ad872e2e5e1a24bb99a5bd41
Instruction Fuzzy Hash: 4AE0CD72A001245BC710D698DC05FDA77DDDFC8790F044071FD0DD7248D960AD809650

Function 00C32B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C33837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C33908

Part of subcall function 00C3D733: GetInputState.USER32 ref: 00C3D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C32B6B

Part of subcall function 00C330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C3314E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2791e9fde7a1652b64a130b4176b17f593b7b67a0362c6ca17c1eb8a7b4ce5eb
Instruction ID: b9b62ad7dda7c444de1fddeba580573d30c5ca70e48541df3f7ab6e135049a84
Opcode Fuzzy Hash: 2791e9fde7a1652b64a130b4176b17f593b7b67a0362c6ca17c1eb8a7b4ce5eb
Instruction Fuzzy Hash: D4E08C2672428807CA08BB74A852AADA7599BD2365F40153EF14B872B2CF648A499262

Function 00C7039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00C70704,?,?,00000000,?,00C70704,00000000,0000000C), ref: 00C703B7

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d21f8b6fbac0c3e0daf5a0756a8d40583f033ae71961169a0c22b792f8b66cad
Instruction ID: 8744a9c52526f34a33f91bdef1cb130bd61ee9445eb4c0b4bb91dcc07cc6b8e1
Opcode Fuzzy Hash: d21f8b6fbac0c3e0daf5a0756a8d40583f033ae71961169a0c22b792f8b66cad
Instruction Fuzzy Hash: B0D06C3204010DBBDF028F85DD46EDE3BAAFB48714F014040FE1856020C732E821AB90

Function 00C31CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C31CBC

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0161c9f26b856640dc4285e4dd0348036391cee3acdc085e77f9eb751674d811
Instruction ID: d5caebe21cc3096625d6f8e479eaeec3e2b3b03892b443720bc8562a76ca96b0
Opcode Fuzzy Hash: 0161c9f26b856640dc4285e4dd0348036391cee3acdc085e77f9eb751674d811
Instruction Fuzzy Hash: E5C0923A280304AFF3148B80FC8EF247764A348B00F048001F60DE96E3C3E22821EA64

Non-executed Functions

Function 00CC9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CC961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CC965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CC969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CC96C9
SendMessageW.USER32 ref: 00CC96F2
GetKeyState.USER32(00000011), ref: 00CC978B
GetKeyState.USER32(00000009), ref: 00CC9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CC97AE
GetKeyState.USER32(00000010), ref: 00CC97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CC97E9
SendMessageW.USER32 ref: 00CC9810
SendMessageW.USER32(?,00001030,?,00CC7E95), ref: 00CC9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CC992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CC9941
SetCapture.USER32(?), ref: 00CC994A
ClientToScreen.USER32(?,?), ref: 00CC99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CC99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CC99D6
ReleaseCapture.USER32 ref: 00CC99E1
GetCursorPos.USER32(?), ref: 00CC9A19
ScreenToClient.USER32(?,?), ref: 00CC9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CC9A80
SendMessageW.USER32 ref: 00CC9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CC9AEB
SendMessageW.USER32 ref: 00CC9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CC9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CC9B4A
GetCursorPos.USER32(?), ref: 00CC9B68
ScreenToClient.USER32(?,?), ref: 00CC9B75
GetParent.USER32(?), ref: 00CC9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CC9BFA
SendMessageW.USER32 ref: 00CC9C2B
ClientToScreen.USER32(?,?), ref: 00CC9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CC9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CC9CDE
SendMessageW.USER32 ref: 00CC9D01
ClientToScreen.USER32(?,?), ref: 00CC9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CC9D82

Part of subcall function 00C49944: GetWindowLongW.USER32(?,000000EB), ref: 00C49952

GetWindowLongW.USER32(?,000000F0), ref: 00CC9E05

Strings

@GUI_DRAGID, xrefs: 00CC997D
F, xrefs: 00CC9D07

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 6476d7736a6e28dfc513bcbd0fd71ee65f4a66c54f3a3daa3ce1d189f4c3f598
Instruction ID: cb1046b8a1d637c80da27cd6fe527997d532e332b70b3cc0958d7cc8b3be2a13
Opcode Fuzzy Hash: 6476d7736a6e28dfc513bcbd0fd71ee65f4a66c54f3a3daa3ce1d189f4c3f598
Instruction Fuzzy Hash: F0425835604601AFDB25CF24C888FAABBF5FF49310F14061DF6A9972A1D731AA60DF52

Function 00CC4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CC48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CC4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CC4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CC494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CC495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CC497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CC49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CC49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CC4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CC4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CC4A7E
IsMenu.USER32(?), ref: 00CC4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CC4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CC4B20
GetWindowLongW.USER32(?,000000F0), ref: 00CC4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CC4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CC4C82
wsprintfW.USER32 ref: 00CC4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CC4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CC4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CC4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CC4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CC4D5A

Strings

%d/%02d/%02d, xrefs: 00CC4CA8

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 7820cc22ba621096d65e78f0cbecd7070d29e6c7c69e3ca0ee207d39c1d37eb7
Instruction ID: 52f3ba73504ed15c7909c9bbf8f5d03bcd2021d668a82a76cd73daf2f8e5c17a
Opcode Fuzzy Hash: 7820cc22ba621096d65e78f0cbecd7070d29e6c7c69e3ca0ee207d39c1d37eb7
Instruction Fuzzy Hash: 37120271A00214ABEB288F65CC59FAE7BF8EF45310F10812DF52ADB2E1DB749A41CB50

Function 00C4F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C4F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C8F474
IsIconic.USER32(00000000), ref: 00C8F47D
ShowWindow.USER32(00000000,00000009), ref: 00C8F48A
SetForegroundWindow.USER32(00000000), ref: 00C8F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C8F4AA
GetCurrentThreadId.KERNEL32 ref: 00C8F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C8F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C8F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C8F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C8F4DE
SetForegroundWindow.USER32(00000000), ref: 00C8F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F4F6
keybd_event.USER32(00000012,00000000), ref: 00C8F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F50B
keybd_event.USER32(00000012,00000000), ref: 00C8F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F519
keybd_event.USER32(00000012,00000000), ref: 00C8F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F528
keybd_event.USER32(00000012,00000000), ref: 00C8F52D
SetForegroundWindow.USER32(00000000), ref: 00C8F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C8F557

Strings

Shell_TrayWnd, xrefs: 00C8F46F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 14e3a9ec2152bd425f1b3dd4a7cfcbb796c7677ec0ab5c23c9582265708f4b96
Instruction ID: 51bee6ef6edd3f881dd36bede2f21e5d319ddbad613fce9e370efcdbe1b40bdc
Opcode Fuzzy Hash: 14e3a9ec2152bd425f1b3dd4a7cfcbb796c7677ec0ab5c23c9582265708f4b96
Instruction Fuzzy Hash: 10316671A40218BFEB206BB59C8AFBF7E6CEB44B54F10006AFA05E61D1C7B55D01AF64

Function 00C91201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00C916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9170D
Part of subcall function 00C916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9173A
Part of subcall function 00C916C3: GetLastError.KERNEL32 ref: 00C9174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C91286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C912A8
CloseHandle.KERNEL32(?), ref: 00C912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C912D1
GetProcessWindowStation.USER32 ref: 00C912EA
SetProcessWindowStation.USER32(00000000), ref: 00C912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C91310

Part of subcall function 00C910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C911FC), ref: 00C910D4
Part of subcall function 00C910BF: CloseHandle.KERNEL32(?,?,00C911FC), ref: 00C910E9

Strings

winsta0, xrefs: 00C912CC
default, xrefs: 00C9130B
, xrefs: 00C9125A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 907c11026d7c96be8e8e02c094ebffae12508f453f1fa714b06a4738ea132aab
Instruction ID: 7c72736be173e5822fe1928ebd50fc93cab62ed670932c5ed6c06364e6520b06
Opcode Fuzzy Hash: 907c11026d7c96be8e8e02c094ebffae12508f453f1fa714b06a4738ea132aab
Instruction Fuzzy Hash: A981A37190020AAFEF119FA5DC4AFEE7BB9FF08704F184119FD25A61A0C7318A55DB21

Function 00C90B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C91114
Part of subcall function 00C910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91120
Part of subcall function 00C910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C9112F
Part of subcall function 00C910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91136
Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C90BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C90C00
GetLengthSid.ADVAPI32(?), ref: 00C90C17
GetAce.ADVAPI32(?,00000000,?), ref: 00C90C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C90C6D
GetLengthSid.ADVAPI32(?), ref: 00C90C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C90C8C
HeapAlloc.KERNEL32(00000000), ref: 00C90C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C90CB4
CopySid.ADVAPI32(00000000), ref: 00C90CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C90CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C90D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C90D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90D45
HeapFree.KERNEL32(00000000), ref: 00C90D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90D55
HeapFree.KERNEL32(00000000), ref: 00C90D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90D65
HeapFree.KERNEL32(00000000), ref: 00C90D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C90D78
HeapFree.KERNEL32(00000000), ref: 00C90D7F

Part of subcall function 00C91193: GetProcessHeap.KERNEL32(00000008,00C90BB1,?,00000000,?,00C90BB1,?), ref: 00C911A1
Part of subcall function 00C91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C90BB1,?), ref: 00C911A8
Part of subcall function 00C91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C90BB1,?), ref: 00C911B7

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7bca1dd9cf086147e9aed748153c65ec1d500dd8f842d1186f9fede4be6e4410
Instruction ID: 19e427dd3146bbc613dfb982e15a8c97517370c365fc324a61f6a8715ddad9c3
Opcode Fuzzy Hash: 7bca1dd9cf086147e9aed748153c65ec1d500dd8f842d1186f9fede4be6e4410
Instruction Fuzzy Hash: 8F716B7290020AAFDF10DFA5DC88FAEBBBCBF04304F144519F929A7291D771AA05CB60

Function 00CAEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CCCC08), ref: 00CAEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00CAEB37
GetClipboardData.USER32(0000000D), ref: 00CAEB43
CloseClipboard.USER32 ref: 00CAEB4F
GlobalLock.KERNEL32(00000000), ref: 00CAEB87
CloseClipboard.USER32 ref: 00CAEB91
GlobalUnlock.KERNEL32(00000000), ref: 00CAEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00CAEBC9
GetClipboardData.USER32(00000001), ref: 00CAEBD1
GlobalLock.KERNEL32(00000000), ref: 00CAEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00CAEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00CAEC38
GetClipboardData.USER32(0000000F), ref: 00CAEC44
GlobalLock.KERNEL32(00000000), ref: 00CAEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00CAEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CAEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CAECD2
GlobalUnlock.KERNEL32(00000000), ref: 00CAECF3
CountClipboardFormats.USER32 ref: 00CAED14
CloseClipboard.USER32 ref: 00CAED59

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 40fc8c249058b9152740604e84c15b60f5e90091236254cb85f1068be657339b
Instruction ID: 68e1a369c475d12052630ae0047fe8a9b40be5519b43993adeeb77565e783745
Opcode Fuzzy Hash: 40fc8c249058b9152740604e84c15b60f5e90091236254cb85f1068be657339b
Instruction Fuzzy Hash: E061CF34204302AFD300EF24D889F6EB7A4EF85718F14455DF46A972A2DB71DE46DBA2

Function 00CA698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CA69BE
FindClose.KERNEL32(00000000), ref: 00CA6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CA6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CA6A75

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00CA6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CA6ADF

Strings

%03d, xrefs: 00CA6DA2
%02d, xrefs: 00CA6C00, 00CA6C0A, 00CA6C5A, 00CA6CAA, 00CA6CFA, 00CA6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00CA6B32
%4d, xrefs: 00CA6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00CA6B6A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d1984acbdfac4ec36f4b22bf720f600bf64da34d292c4b3315bdff855c53978d
Instruction ID: 85b4c379e488074f89a15d807f7affbb625750faa61e7b66be1289e4961dad2f
Opcode Fuzzy Hash: d1984acbdfac4ec36f4b22bf720f600bf64da34d292c4b3315bdff855c53978d
Instruction Fuzzy Hash: A8D15DB2518300AFC714EBA4C885EAFB7ECEF89704F04491DF589D6291EB74DA44DB62

Function 00CA9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CA9663
GetFileAttributesW.KERNEL32(?), ref: 00CA96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00CA96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00CA96D3
FindClose.KERNEL32(00000000), ref: 00CA96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00CA96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA974A
SetCurrentDirectoryW.KERNEL32(00CF6B7C), ref: 00CA9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CA9772
FindClose.KERNEL32(00000000), ref: 00CA977F
FindClose.KERNEL32(00000000), ref: 00CA978F

Strings

*.*, xrefs: 00CA96F5

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fb1d3fd1fc9d719b2e8926b6932cb9a8d1a3d2fd329f9b4d0c2425897c72436e
Instruction ID: 1e178e1f8032b4b3ad5104ba78ff9a84cd0f346dea01035eb6771e47fc334fb8
Opcode Fuzzy Hash: fb1d3fd1fc9d719b2e8926b6932cb9a8d1a3d2fd329f9b4d0c2425897c72436e
Instruction Fuzzy Hash: 3631C23250021A6BDB14EFB4EC4AFEE77ACDF4A325F144165F919E20A0DB30DA858A24

Function 00CA979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CA97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00CA9819
FindClose.KERNEL32(00000000), ref: 00CA9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00CA9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA9890
SetCurrentDirectoryW.KERNEL32(00CF6B7C), ref: 00CA98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CA98B8
FindClose.KERNEL32(00000000), ref: 00CA98C5
FindClose.KERNEL32(00000000), ref: 00CA98D5

Part of subcall function 00C9DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C9DB00

Strings

*.*, xrefs: 00CA983B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 7a49a6e13adccc279f3fc65f8e342fa572332b2fd7ab323edb012e5865b9def7
Instruction ID: f0b7842897e026fd12b0ad6f6b8309d6f88136fef60f05da33071361a32545d6
Opcode Fuzzy Hash: 7a49a6e13adccc279f3fc65f8e342fa572332b2fd7ab323edb012e5865b9def7
Instruction Fuzzy Hash: 5C31C33150021A6ADB14EFB4EC8AFEE77BCDF07324F144165E924A20E0DB38DA85DB24

Function 00CBBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00CBBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00CBBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CBC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CBC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CBC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CBC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CBC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CBC382
RegCloseKey.ADVAPI32(00000000), ref: 00CBC38F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: fd60a88ce1cd8bf788a270ba14ab939d20b1e800804cac750113319edca2eaca
Instruction ID: c79f2c2d2c69eb3ed82031d6ddbf7406ab907f00b9ba4c5b80998a94a9e800cf
Opcode Fuzzy Hash: fd60a88ce1cd8bf788a270ba14ab939d20b1e800804cac750113319edca2eaca
Instruction Fuzzy Hash: B8025C71604200AFC714DF28C8D1E6ABBE5EF89314F58849DF85ADB2A2D731ED46CB51

Function 00CA8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CA8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CA8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CA8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CA838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8395

Strings

*.*, xrefs: 00CA839B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: a04ef559797f03ccfec54563893c4a66c821198c4cf9ae21547b17da956a1920
Instruction ID: c0867a33f70080b35fa71ccff9f8df3143e80f74185ddfc9317465c78b705fa6
Opcode Fuzzy Hash: a04ef559797f03ccfec54563893c4a66c821198c4cf9ae21547b17da956a1920
Instruction Fuzzy Hash: 06617D725043469FCB10EF64C884AAEB3E8FF89314F04491EF999D7251DB35EA49CB92

Function 00C9D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

Part of subcall function 00C9E199: GetFileAttributesW.KERNEL32(?,00C9CF95), ref: 00C9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C9D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C9D1DD
MoveFileW.KERNEL32(?,?), ref: 00C9D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C9D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C9D237

Part of subcall function 00C9D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C9D21C,?,?), ref: 00C9D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00C9D253
FindClose.KERNEL32(00000000), ref: 00C9D264

Strings

\*.*, xrefs: 00C9D0CD, 00C9D0D6, 00C9D0EB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b44896854a47fffeb46d7856cba45571664df3427d003798a2f8a774e5b93969
Instruction ID: c7bcb1e1aaf336db823ef01537114edc43f517cd16828ac4ed47fde46a8994f9
Opcode Fuzzy Hash: b44896854a47fffeb46d7856cba45571664df3427d003798a2f8a774e5b93969
Instruction Fuzzy Hash: 1D618C31C0524DAFCF05EBE0DA96AEDB7B5AF55300F204165E452771A2EB30AF09EB61

Function 00CAED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00CAED91
EmptyClipboard.USER32 ref: 00CAED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00CAEDAC
CloseClipboard.USER32 ref: 00CAEEA3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 79dc26607cb9b09661432544bc4b8c969cf667951d8d75335edc0c54a307fc0c
Instruction ID: 43323a45b548cfcea29792304399f6d4e302e9a2d70ebdef41009e320877a3f9
Opcode Fuzzy Hash: 79dc26607cb9b09661432544bc4b8c969cf667951d8d75335edc0c54a307fc0c
Instruction Fuzzy Hash: D341AB35604612AFE720CF19D888F19BBE5EF45329F14C099E4298B762C735ED42CBD0

Function 00C9E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9170D
Part of subcall function 00C916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9173A
Part of subcall function 00C916C3: GetLastError.KERNEL32 ref: 00C9174A

ExitWindowsEx.USER32(?,00000000), ref: 00C9E932

Strings

, xrefs: 00C9E920
@, xrefs: 00C9E925
, xrefs: 00C9E95C
SeShutdownPrivilege, xrefs: 00C9E902

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 4d147147ecc6578e71af8b0dd8b88eb20b765267737d660ed9eb6fc1447b147a
Instruction ID: f608c4dccc0d5a6efde3a8a7b06838669a2417a4ed17164bde79dd0e1a108c69
Opcode Fuzzy Hash: 4d147147ecc6578e71af8b0dd8b88eb20b765267737d660ed9eb6fc1447b147a
Instruction Fuzzy Hash: 0401F972A10211AFEF54A6B59CCEFFF726CA724750F1A0421FD13E21D1D9A15D409290

Function 00CB1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CB1276
WSAGetLastError.WSOCK32 ref: 00CB1283
bind.WSOCK32(00000000,?,00000010), ref: 00CB12BA
WSAGetLastError.WSOCK32 ref: 00CB12C5
closesocket.WSOCK32(00000000), ref: 00CB12F4
listen.WSOCK32(00000000,00000005), ref: 00CB1303
WSAGetLastError.WSOCK32 ref: 00CB130D
closesocket.WSOCK32(00000000), ref: 00CB133C

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: d65d5c8ef04cda3e442d154ac2aa295d2e78e9c1fd8fe3124cef3c5dcb789afb
Instruction ID: cfcfa6c6a7a70eda4ad1e03bbf81097d3d403c13cb8e3d8bb738dde989849e05
Opcode Fuzzy Hash: d65d5c8ef04cda3e442d154ac2aa295d2e78e9c1fd8fe3124cef3c5dcb789afb
Instruction Fuzzy Hash: 50417071A001409FD710DF68C4D8B6ABBE5AF46318F588198E8669F2E2C771ED81CBE1

Function 00C9D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

Part of subcall function 00C9E199: GetFileAttributesW.KERNEL32(?,00C9CF95), ref: 00C9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C9D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C9D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C9D481
FindClose.KERNEL32(00000000), ref: 00C9D498
FindClose.KERNEL32(00000000), ref: 00C9D4A1

Strings

\*.*, xrefs: 00C9D3F2

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 11c31d4e7428f38cab0ee553f25d736f9c739ba44c062d4075a13e1ca79e0f49
Instruction ID: 912bf9d1bd0d2ed7e7e8a8cecbd7fc6310c662e1c171ffe7546d1395e63db35f
Opcode Fuzzy Hash: 11c31d4e7428f38cab0ee553f25d736f9c739ba44c062d4075a13e1ca79e0f49
Instruction Fuzzy Hash: 26316E710183859BC704EF64D8959AFB7A8AE91314F444E1DF4E6A31A1EB30AA09DB63

Function 00C6E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C6E645

Strings

1#QNAN, xrefs: 00C6F84B
1#INF, xrefs: 00C6F852
1#IND, xrefs: 00C6F83D
1#SNAN, xrefs: 00C6F844

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 26d28540a205294ee9ff2d8ead1c11f4a2b3415d95cb1da93d8d39d8c1892a91
Instruction ID: 8e118b7cfbca4355724f648e610ca9696a7ecf25a45fc1fbe25829ddfd9b84b0
Opcode Fuzzy Hash: 26d28540a205294ee9ff2d8ead1c11f4a2b3415d95cb1da93d8d39d8c1892a91
Instruction Fuzzy Hash: 09C25D75E086288FDB35CE28DD807EAB7B5EB49305F1441EAD85DE7241E774AE828F40

Function 00CA648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA64DC
CoInitialize.OLE32(00000000), ref: 00CA6639
CoCreateInstance.OLE32(00CCFCF8,00000000,00000001,00CCFB68,?), ref: 00CA6650
CoUninitialize.OLE32 ref: 00CA68D4

Strings

.lnk, xrefs: 00CA64BA, 00CA6524, 00CA65E0

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ee39bca5d99eb3bc1c4dc48a42a2018cb9db4d637b01869ef973ba4769a3a1d3
Instruction ID: c53e9470c0b6288a0bec416b908ae3e124527bc4c31f106821add060dba6e65f
Opcode Fuzzy Hash: ee39bca5d99eb3bc1c4dc48a42a2018cb9db4d637b01869ef973ba4769a3a1d3
Instruction Fuzzy Hash: 81D14871518301AFC314EF24C881E6BB7E9FF99708F04496DF5958B2A1EB70EA45CB92

Function 00CB22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00CB22E8

Part of subcall function 00CAE4EC: GetWindowRect.USER32(?,?), ref: 00CAE504

GetDesktopWindow.USER32 ref: 00CB2312
GetWindowRect.USER32(00000000), ref: 00CB2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CB2355
GetCursorPos.USER32(?), ref: 00CB2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CB23DF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c80f3091de3b48d0dc4a86a3ff572cf71e15cd5a8c5b3abeafbe2ae6a1b58e7f
Instruction ID: 400405644868166f56dad20541fcc8b0a4c9832968c6775080024181e5fe2d36
Opcode Fuzzy Hash: c80f3091de3b48d0dc4a86a3ff572cf71e15cd5a8c5b3abeafbe2ae6a1b58e7f
Instruction Fuzzy Hash: 5531EF72504315ABCB20DF54C848F9BB7EDFF88310F000919F899971A1DB34EA08CB92

Function 00CA9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00CA9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CA9C8B

Part of subcall function 00CA3874: GetInputState.USER32 ref: 00CA38CB
Part of subcall function 00CA3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CA3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CA9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CA9C75

Strings

*.*, xrefs: 00CA9B5D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: c9a6ac3737eb10fa57b27077cb69567d9cc9dbd4dcdcc574f583f8ce1c40a802
Instruction ID: 90e38e5eab3ebcfd9358e3f4bbe35d881489415652d7324842ebcd7d63280205
Opcode Fuzzy Hash: c9a6ac3737eb10fa57b27077cb69567d9cc9dbd4dcdcc574f583f8ce1c40a802
Instruction Fuzzy Hash: 6041A37194460A9FCF14DFA4CC8ABEEBBB4EF06318F248055E815A2191EB309F85DF61

Function 00C4997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C49A4E
GetSysColor.USER32(0000000F), ref: 00C49B23
SetBkColor.GDI32(?,00000000), ref: 00C49B36

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 19559c6a15127461ae533dd316b55fd296a0a069ec2a5814a9f1ff7816ee54a2
Instruction ID: 8fb498c10ffcaf4e20de71fde263d2651e0637e71eac1ae2275b174208bb181d
Opcode Fuzzy Hash: 19559c6a15127461ae533dd316b55fd296a0a069ec2a5814a9f1ff7816ee54a2
Instruction Fuzzy Hash: 8BA11770108564BEE729AA2D9C88F7F2A9DFB42354B244309F422C66A1DA35DF01E379

Function 00CB1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CB307A
Part of subcall function 00CB304E: _wcslen.LIBCMT ref: 00CB309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CB185D
WSAGetLastError.WSOCK32 ref: 00CB1884
bind.WSOCK32(00000000,?,00000010), ref: 00CB18DB
WSAGetLastError.WSOCK32 ref: 00CB18E6
closesocket.WSOCK32(00000000), ref: 00CB1915

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6cc04712c9b4f434900eea5261df457fae72fd284d0815a67ced42fae3963f3f
Instruction ID: d8656081d6c33dea3bdabf1552b691806f1d3e1a2f280d7c14cfdc1fcc37f5e6
Opcode Fuzzy Hash: 6cc04712c9b4f434900eea5261df457fae72fd284d0815a67ced42fae3963f3f
Instruction Fuzzy Hash: 7751C375A00200AFDB10AF24C8D6F6A77E5AB44718F58805CFA1AAF3D3C771AD41DBA1

Function 00CC1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CC1CC0
IsWindowEnabled.USER32 ref: 00CC1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00CC1CDB
IsIconic.USER32 ref: 00CC1CE9
IsZoomed.USER32 ref: 00CC1CF7

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 48a4da1d833a20096058d7639f5550c3b481e547ae91488173fb6378d0aa45a3
Instruction ID: b879912ef53daf0c859cc80cd9b0cd925d26ee08b324d9ea0d7b5540f667cb13
Opcode Fuzzy Hash: 48a4da1d833a20096058d7639f5550c3b481e547ae91488173fb6378d0aa45a3
Instruction Fuzzy Hash: FD217E317402105FD7218F1BC884F6A7BA5AF96325F1D805CE85A8B252C771D942CB90

Function 00C38060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C3843C
VUUU, xrefs: 00C383FA
VUUU, xrefs: 00C383E8
VUUU, xrefs: 00C75DF0
ERCP, xrefs: 00C3813C

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1334b0f2b2693b1262675bcd14d2bb32a7a7f5421d456ea108a00f2aef820fa2
Instruction ID: a4086a948c4f2a9066655de6980e0c89f716e178858833eb9e916f1744b734c5
Opcode Fuzzy Hash: 1334b0f2b2693b1262675bcd14d2bb32a7a7f5421d456ea108a00f2aef820fa2
Instruction Fuzzy Hash: AAA29071E1061ACBDF24CF59C9417AEB7B1BF54310F2481AAE829A7385DB709E85CF90

Function 00C9AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C9AAAC
SetKeyboardState.USER32(00000080), ref: 00C9AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C9AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C9AB88

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e8312ac68e49e1ad7e3ff743f40a92acc91c97996e82af512d2b51ed30f9e5f8
Instruction ID: 08845d7284067b3250dd9d3504a6180eeb63ac237e611950607613207f2aadb9
Opcode Fuzzy Hash: e8312ac68e49e1ad7e3ff743f40a92acc91c97996e82af512d2b51ed30f9e5f8
Instruction Fuzzy Hash: 82314630A40248AFFF34CB69CC0DBFE7BA6AB44320F04421AF1A5921D0D7748A81D7E6

Function 00C6BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C6BB7F

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

GetTimeZoneInformation.KERNEL32 ref: 00C6BB91
WideCharToMultiByte.KERNEL32(00000000,?,00D0121C,000000FF,?,0000003F,?,?), ref: 00C6BC09
WideCharToMultiByte.KERNEL32(00000000,?,00D01270,000000FF,?,0000003F,?,?,?,00D0121C,000000FF,?,0000003F,?,?), ref: 00C6BC36

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: ee0e734058beb6e58b4e305e9678abc39915ec5b5ad73429fa5aaa5f2ee1ad97
Instruction ID: f6748cd58c3694895afed1462ef2802884e906e8674c07c0f97ceca968b9db87
Opcode Fuzzy Hash: ee0e734058beb6e58b4e305e9678abc39915ec5b5ad73429fa5aaa5f2ee1ad97
Instruction Fuzzy Hash: A131CE71904205EFCB21DF69CCC1A2DBBB8BF5575071442AAE068D73A1D7309E81DB60

Function 00CACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00CACE89
GetLastError.KERNEL32(?,00000000), ref: 00CACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00CACEFE

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 7f2b1156f20d9bc3ab9ad0490ae7e66b28b4f4e7963135b3c4021e8e60092829
Instruction ID: 626dd01abfb36b3218e45270340fc438ab8b5f0606d08a9527d7d68e4445ad30
Opcode Fuzzy Hash: 7f2b1156f20d9bc3ab9ad0490ae7e66b28b4f4e7963135b3c4021e8e60092829
Instruction Fuzzy Hash: 3521BD75500306AFEB20CFA5C988BAA77F8EB11358F10442EE65692151EB70EE48DB94

Function 00C98298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C982AA

Strings

|, xrefs: 00C982DA
(, xrefs: 00C982F0

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 85e0e87e8445fb24456571419ec1556506b231ce6f7545034073929b2b1a62bd
Instruction ID: f14d614bede32793dd67e1769ac5bd79c20f40f6869435429abb67bc9963686b
Opcode Fuzzy Hash: 85e0e87e8445fb24456571419ec1556506b231ce6f7545034073929b2b1a62bd
Instruction Fuzzy Hash: 99324475A00605DFCB28CF59C484A6AB7F0FF48710B15C46EE5AADB3A1EB70E981CB40

Function 00CA5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CA5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00CA5D17
FindClose.KERNEL32(?), ref: 00CA5D5F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1adc0994fa59973c71f515cb6d591600cbe953c3bfd0ae492da07bd0df6bf267
Instruction ID: 3c2bfcb892d31285956a038e9bcaf61f8b319bbcfdd571de67da37dd86a23192
Opcode Fuzzy Hash: 1adc0994fa59973c71f515cb6d591600cbe953c3bfd0ae492da07bd0df6bf267
Instruction Fuzzy Hash: BD519C75A046029FC714CF28C494E9AB7E4FF4A328F14855DE9AA8B3A1CB30ED45CF91

Function 00C62622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C6271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C62724
UnhandledExceptionFilter.KERNEL32(?), ref: 00C62731

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1e0c5cdaa9d9c9018ee5aa521da4a3add9821a272d78db04ba3f7599b1482750
Instruction ID: a43acf1f06de243735044788ad7cc01bc2c088d722a64a1b4737d99535cfc7d0
Opcode Fuzzy Hash: 1e0c5cdaa9d9c9018ee5aa521da4a3add9821a272d78db04ba3f7599b1482750
Instruction Fuzzy Hash: C831B37491121CABCB21DF68DD89BDDBBB8AF08310F5041EAE81CA7261E7309F859F45

Function 00CA51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CA5238
SetErrorMode.KERNEL32(00000000), ref: 00CA52A1

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2db74d651e4d6a4925f387b19fad454dc68eb17575d4841c9759b2ee546e7195
Instruction ID: 38dad3f3b11e8565229805b857f96b091d6b35f7df94eb953854a84a3226fcb5
Opcode Fuzzy Hash: 2db74d651e4d6a4925f387b19fad454dc68eb17575d4841c9759b2ee546e7195
Instruction Fuzzy Hash: 46315A75A00509DFDB00DF95D884FADBBB4FF49318F088099E809AB3A2CB31E845CB90

Function 00C916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C50668
Part of subcall function 00C4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C50685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9173A
GetLastError.KERNEL32 ref: 00C9174A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c633b95505f7d037231c3150ab901d48dd899eaf847e6c2bb802e58a5672dd6b
Instruction ID: a315a4bdd2490ec3831e76ebf65a3591f8e805b87a3d73b9ae7b3e47ff6e1826
Opcode Fuzzy Hash: c633b95505f7d037231c3150ab901d48dd899eaf847e6c2bb802e58a5672dd6b
Instruction Fuzzy Hash: 301191B2814305AFE7189F54ECCAE6AB7B9FF44714B24852EF45657641EB70BC428A20

Function 00C9D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C9D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C9D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C9D650

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2768affdd73bf55b2ffa1c06bef544f1928fdc31ea74dc4eddf83af7eaf98eec
Instruction ID: faafc4ac55dc0a4c8bca80dd4a27a3a32113350b93389912c21cc42d73979c6c
Opcode Fuzzy Hash: 2768affdd73bf55b2ffa1c06bef544f1928fdc31ea74dc4eddf83af7eaf98eec
Instruction Fuzzy Hash: 22118E71E01228BFDB108F95EC88FAFBBBCEB45B60F108115F918F7290C2704A018BA1

Function 00C91663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C9168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C916A1
FreeSid.ADVAPI32(?), ref: 00C916B1

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: df95b5d3ba38f97991a9a5ba3ad475ac498412397410125119cc5b1a4586e270
Instruction ID: b5326772929f73a584ee4c00fe9ab7bba2de5c74c85fc9e28af3706742892ed1
Opcode Fuzzy Hash: df95b5d3ba38f97991a9a5ba3ad475ac498412397410125119cc5b1a4586e270
Instruction Fuzzy Hash: AAF0F471950309FBDF00DFE4DC89EAEBBBCFB08604F504565E901E2181E774AA448A54

Function 00C8D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C8D28C

Strings

X64, xrefs: 00C8D2A8

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 9c762bf99b59f10fa75ce19e409a1f64f8c70ca56c71fe3180b2bb096111bfa9
Instruction ID: 7a0fd52630d0927456032b315873476880dd4d0abe0e452a7b500e0ded48764f
Opcode Fuzzy Hash: 9c762bf99b59f10fa75ce19e409a1f64f8c70ca56c71fe3180b2bb096111bfa9
Instruction Fuzzy Hash: 31D0C9B480111DEACB90DB90ECC8EDDB77CBB04305F100191F106A2040D73095488F10

Function 00C5CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 7e0f3c2bfa45d1ee8fa32d049a49d368d9e2c55044db4c5ce44fc5035c6868a6
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: CA021C75E002199FDF14CFA9C8C06ADBBF1EF48315F25826AD829E7380D731AA45CB94

Function 00CA68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CA6918
FindClose.KERNEL32(00000000), ref: 00CA6961

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9fbdaab7c8e54dc23aea5b04032cb7c0de971e383201ee38fb21b515133959d0
Instruction ID: 3a0dd52f770706c6df0028b219e6dcb61f4ff0b9547a697a2c197956a9e98e5b
Opcode Fuzzy Hash: 9fbdaab7c8e54dc23aea5b04032cb7c0de971e383201ee38fb21b515133959d0
Instruction Fuzzy Hash: 691190756142019FC710DF69D4C8A1ABBE5FF89328F18C699E4698F7A2CB30EC05CB91

Function 00CA37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CB4891,?,?,00000035,?), ref: 00CA37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CB4891,?,?,00000035,?), ref: 00CA37F4

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: adcd0becdc0e4d65479e7bc7328cf99a74e0af65872578629f292cb487efa646
Instruction ID: bfcbc2d38f66744642b08d3c5a82970ef6471c82f2b06e02b5f716815aa44271
Opcode Fuzzy Hash: adcd0becdc0e4d65479e7bc7328cf99a74e0af65872578629f292cb487efa646
Instruction Fuzzy Hash: 30F0E5B17043292AE72057A69C8DFEB3AAEEFC5765F000165F509D22D1D9A09904C6B0

Function 00C9B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C9B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00C9B270

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 4e1769ec42bce2317eb77d17681fcc4b81f667d6d606c9706da483495ceb419e
Instruction ID: a061a4573e2f08a6a0b54b7bc0f1dcc4a62c021e771b9e0f0255b7ae5e66235d
Opcode Fuzzy Hash: 4e1769ec42bce2317eb77d17681fcc4b81f667d6d606c9706da483495ceb419e
Instruction Fuzzy Hash: 40F01D7180424EABDF059FA1D849BAE7BB4FF04305F00801AF965A5192C37996119F94

Function 00C910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C911FC), ref: 00C910D4
CloseHandle.KERNEL32(?,?,00C911FC), ref: 00C910E9

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: cd896ca630f18e8391b375c5c74c2e072c750c51f3d5b6cb305821597bd2301a
Instruction ID: 5abb3359b0f96b21fdd7361cc147e233e661537826719ed40d41d342d1543bd8
Opcode Fuzzy Hash: cd896ca630f18e8391b375c5c74c2e072c750c51f3d5b6cb305821597bd2301a
Instruction Fuzzy Hash: 3BE0BF72014651AEE7252B51FC49F7777A9FB04321B14882DF5A6804B1DB62AC91EB50

Function 00C3CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00C80C40

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 669db810c69ddc749bae9a4bd336bd39484dc8ea0a81406ac5a4154d71bfe4e0
Instruction ID: 8b870baed2aa72c65dafceffa43cdbd44640c8b4b75798b7a4b1c82d992c876a
Opcode Fuzzy Hash: 669db810c69ddc749bae9a4bd336bd39484dc8ea0a81406ac5a4154d71bfe4e0
Instruction Fuzzy Hash: 4632AD34920218DBCF14EF94D8C5BEDB7B5BF08308F244069E816BB292D735AE49DB61

Function 00C6676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C66766,?,?,00000008,?,?,00C6FEFE,00000000), ref: 00C66998

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fc573107e1ff50a94afbb4627ee56d86e95fb4f5ee4ff98110857f5d6c272fcb
Instruction ID: a11760153e740219a5f3887fea6af427b543f26858021b3f0c974d88227e01dd
Opcode Fuzzy Hash: fc573107e1ff50a94afbb4627ee56d86e95fb4f5ee4ff98110857f5d6c272fcb
Instruction Fuzzy Hash: D5B10B716106099FD725CF28C4C6B657BE0FF45368F258658E8A9CF2A2C735EA91CB40

Function 00C4B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00C8851F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5247f5399b5ba632f2cef3dea32582a263974da7957720b9931830a713e50e4f
Instruction ID: 42f2d55abe1d1e94ba59b680a1d4a46932ad957d1d1fc90b7812402fd115c629
Opcode Fuzzy Hash: 5247f5399b5ba632f2cef3dea32582a263974da7957720b9931830a713e50e4f
Instruction Fuzzy Hash: CB126E719002299BDB24DF59C880AEEB7F5FF48310F54819AE849EB251DB30DE85DF94

Function 00CAEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00CAEABD

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 0f65881710ccc08439cc2bceca86b25e781a034761341585089f68e052e09447
Instruction ID: 7c68ec8407bd084c9e59d3a9a6a81f0b54d8105698baef41ed2074199e2a5641
Opcode Fuzzy Hash: 0f65881710ccc08439cc2bceca86b25e781a034761341585089f68e052e09447
Instruction Fuzzy Hash: F1E04F362102059FC710EF5AD844E9AFBE9AF99764F00841AFD49DB351DB70EC409B90

Function 00C509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C503EE), ref: 00C509DA

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de11f30a421806d52a60ebbce604578256c5f066e54c39db4ab014a8796e32c2
Instruction ID: 33caccf2bd8d2aaab26b858305ba9659f2c99387ca15dfa7a4cc4f550007fe82
Opcode Fuzzy Hash: de11f30a421806d52a60ebbce604578256c5f066e54c39db4ab014a8796e32c2
Instruction Fuzzy Hash:

Function 00C5781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C5798B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 1986b509d04622fc88b2e319ecd962d18c20ebb083548df47dec8106570e57bb
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 3F51696D60C6055BDB384569A95D7BE23899B12303F180709DCA2FB2C2C615DFCDE36E

Function 00C66DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd51be2846ba9b45df43ee43222c868d0409dbe9c319251488080b408cef5c1
Instruction ID: 7d9de333c31d5a80e375f64ad5cff8984bf307eb59f572b6070495226bd1f563
Opcode Fuzzy Hash: fbd51be2846ba9b45df43ee43222c868d0409dbe9c319251488080b408cef5c1
Instruction Fuzzy Hash: D4320422D2AF414DD7239634CC62339A749AFB73C9F15DB37E82AB5DA5EB29C5834100

Function 00C4CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c613124ffe8047933fe6889796e7c217bf92a8ce0b0c0f579caa8ea016909555
Instruction ID: 0c6713bb3590a92ebc28e42a9f74d088fc3ad5eda76e09d3f83ce68fee69181c
Opcode Fuzzy Hash: c613124ffe8047933fe6889796e7c217bf92a8ce0b0c0f579caa8ea016909555
Instruction Fuzzy Hash: 6F323831A001558BCF28EF2DC4D46BD77A1FF45308F28856AD56ADB2A1D330DE81EB69

Function 00C37920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c570ce9804feb7066e8672a0b4e4110b048de3974c0f15f8ad6e8c7c48494a
Instruction ID: 99f39b8aa88ad5b87c93271d462084c025984f9bbf2a5636d25bdd582a773279
Opcode Fuzzy Hash: f9c570ce9804feb7066e8672a0b4e4110b048de3974c0f15f8ad6e8c7c48494a
Instruction Fuzzy Hash: 9522C3B0A04609DFDF14CF65C881AAEB7F5FF44300F208629E816E72A1EB75AE55DB50

Function 00C391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1414e4f88224534ccd907326054359ddfc825ad1477ff208548028126c7155f1
Instruction ID: 41b8aa9b5011852da5ccb5e40b4ae271269796f2f6c9dab7759ef2f658e72c4e
Opcode Fuzzy Hash: 1414e4f88224534ccd907326054359ddfc825ad1477ff208548028126c7155f1
Instruction Fuzzy Hash: 0002D7B1E10205EBCB05DF55D881AAEBBB1FF48300F108169E81A9B290EB71EE55DB95

Function 00C69EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94de0200a4f8b1eea1c05909d982efa8bd802c88eb3b62073f0b015f62aa772e
Instruction ID: 1f790d89480d3f25e874ea2848c21863b7d18efed61fd68bf662a3c114d77f08
Opcode Fuzzy Hash: 94de0200a4f8b1eea1c05909d982efa8bd802c88eb3b62073f0b015f62aa772e
Instruction Fuzzy Hash: 0DB1F120D2AF814DC3239639897133AB75CAFBB6D5F91D31BFC2674D62EB2286834141

Function 00C51C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 93758ad3bdcda92781493b2451fa8ad47a146794c384d18380a89bcbc6290110
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: E99178361080A34ADB2A463A853D67DFFF15A523A371E079DDCF2CA1C1FE109A9CD624

Function 00C51F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: c045be2c18bbc86109c754ac0a923c94a4f36e9672c142d43c7cd3f167285ce9
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 7B9169761090A349DB6D427A847813FFFE15A933A371E079DDCF2CA1C5EE148A9CD624

Function 00C519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 7437c229923d49a09d93ff438f4f0f2db4b2be0aa85858de6dc20f1adb04ae8a
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2891667A2090A34ADB2A427A857C13DFFE15A923A331D079DDCF2CA1C1FD14969CE624

Function 00C57A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f318c20050a19d7bd96bfa08b88bc01cd88272bb019be704881c7cfe4e5a71
Instruction ID: a7a047fe7188a04d4b1c7f164a2fc66da8709257784051b5555166f6c1bd9a3c
Opcode Fuzzy Hash: e6f318c20050a19d7bd96bfa08b88bc01cd88272bb019be704881c7cfe4e5a71
Instruction Fuzzy Hash: 5461773C60830957EE349A28B899BBE2384DF41703F141B19EC53DB281DA11AFCEA35D

Function 00C57CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491290d893089b78657c299bc054a9f0e07c55325e35fac0a1a47e00b974b6b3
Instruction ID: f6d8344e51e3b0fa874393910b1e7b051b446a5657f1bf36d38d44e2bb5b0774
Opcode Fuzzy Hash: 491290d893089b78657c299bc054a9f0e07c55325e35fac0a1a47e00b974b6b3
Instruction Fuzzy Hash: 7F616D7D2087095ADE344A287856BBF23A4DF41703F100B59EC53DB281EA529FCE925D

Function 00C51706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bba2e23547b54c75059887c05803c15dab07f668508e812176ee280db6bb9e2c
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8B81657A5080A309DB29463E853857EFFE15A923A371E079DDCF2CA1C1EE149A9CD624

Function 00CA2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e91d2f2bcec35446d52ee00e4f82563b572145f1a56670e2256e9f96414411
Instruction ID: 0af34ae44d9ea5f02ce21d44717716aeb9b7212aa057300e84f7f6dc497c8e2c
Opcode Fuzzy Hash: 18e91d2f2bcec35446d52ee00e4f82563b572145f1a56670e2256e9f96414411
Instruction Fuzzy Hash: EE21E7322216118BD728CF79C82377E77E5AB54314F14862EE4A7C33D0DE3AAA04CB90

Function 00CB2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CB2B30
DeleteObject.GDI32(00000000), ref: 00CB2B43
DestroyWindow.USER32 ref: 00CB2B52
GetDesktopWindow.USER32 ref: 00CB2B6D
GetWindowRect.USER32(00000000), ref: 00CB2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CB2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CB2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2CF8
GetClientRect.USER32(00000000,?), ref: 00CB2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CB2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D80
GlobalLock.KERNEL32(00000000), ref: 00CB2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D98
GlobalUnlock.KERNEL32(00000000), ref: 00CB2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2DA8
GlobalFree.KERNEL32(00000000), ref: 00CB2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CCFC38,00000000), ref: 00CB2DDB
GlobalFree.KERNEL32(00000000), ref: 00CB2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CB2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CB2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB303F

Strings

DISPLAY, xrefs: 00CB2EA2
AutoIt v3, xrefs: 00CB2CF2
, xrefs: 00CB2FC5
static, xrefs: 00CB2D3A, 00CB2E91

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 635ec1e4683893c236f2dd53ac1b6c41672dfaebddab3fd9f07188207011c8bd
Instruction ID: 6cebde7c9baeb297aec7842ad268323151d1850fa1831b9c4f4042cfab5ad802
Opcode Fuzzy Hash: 635ec1e4683893c236f2dd53ac1b6c41672dfaebddab3fd9f07188207011c8bd
Instruction Fuzzy Hash: 82025975900219AFDB14DFA4CD89FAE7BB9EF48311F048158F919AB2A1CB74ED01CB60

Function 00CC70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CC712F
GetSysColorBrush.USER32(0000000F), ref: 00CC7160
GetSysColor.USER32(0000000F), ref: 00CC716C
SetBkColor.GDI32(?,000000FF), ref: 00CC7186
SelectObject.GDI32(?,?), ref: 00CC7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00CC71C0
GetSysColor.USER32(00000010), ref: 00CC71C8
CreateSolidBrush.GDI32(00000000), ref: 00CC71CF
FrameRect.USER32(?,?,00000000), ref: 00CC71DE
DeleteObject.GDI32(00000000), ref: 00CC71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00CC7230
FillRect.USER32(?,?,?), ref: 00CC7262
GetWindowLongW.USER32(?,000000F0), ref: 00CC7284

Part of subcall function 00CC73E8: GetSysColor.USER32(00000012), ref: 00CC7421
Part of subcall function 00CC73E8: SetTextColor.GDI32(?,?), ref: 00CC7425
Part of subcall function 00CC73E8: GetSysColorBrush.USER32(0000000F), ref: 00CC743B
Part of subcall function 00CC73E8: GetSysColor.USER32(0000000F), ref: 00CC7446
Part of subcall function 00CC73E8: GetSysColor.USER32(00000011), ref: 00CC7463
Part of subcall function 00CC73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CC7471
Part of subcall function 00CC73E8: SelectObject.GDI32(?,00000000), ref: 00CC7482
Part of subcall function 00CC73E8: SetBkColor.GDI32(?,00000000), ref: 00CC748B
Part of subcall function 00CC73E8: SelectObject.GDI32(?,?), ref: 00CC7498
Part of subcall function 00CC73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CC74B7
Part of subcall function 00CC73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CC74CE
Part of subcall function 00CC73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CC74DB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: bd4a030887e88cca5d68decb3ae1a4c5ac11c6c9bd44417262e4db80f799adae
Instruction ID: 5101c1bc06ac51c53b4f8e58ce2206f6ed38b1d135b2964ae64a90ad2a5bcd76
Opcode Fuzzy Hash: bd4a030887e88cca5d68decb3ae1a4c5ac11c6c9bd44417262e4db80f799adae
Instruction Fuzzy Hash: D9A18B72408301AFDB009F60DC88F6EBBA9FB89320F140B19F96A961A1D771E9459F51

Function 00C48D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C48E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C86AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C86AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C86F43

Part of subcall function 00C48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C48BE8,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C48FC5

SendMessageW.USER32(?,00001053), ref: 00C86F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C86F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C86FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C86FB7

Strings

0, xrefs: 00C86DCF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0d2780e7a0b86c73ca8c1c1e5975c9d39e008148d8505772cff2b370b9316db7
Instruction ID: 31dd32c46c004166cf5eebb317a8b9a0088106a95ca7b8bc6fe06188e3f3e733
Opcode Fuzzy Hash: 0d2780e7a0b86c73ca8c1c1e5975c9d39e008148d8505772cff2b370b9316db7
Instruction Fuzzy Hash: 9012DF38600201EFDB25EF24D884BAAB7E1FB44308F144469F5A9CB661CB31ED96DF95

Function 00CB2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CB273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CB286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00CB28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CB28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CB2900
GetClientRect.USER32(00000000,?), ref: 00CB290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00CB2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CB2964
GetStockObject.GDI32(00000011), ref: 00CB2974
SelectObject.GDI32(00000000,00000000), ref: 00CB2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CB2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB2991
DeleteDC.GDI32(00000000), ref: 00CB299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CB29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CB29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00CB2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CB2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CB2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00CB2A77
GetStockObject.GDI32(00000011), ref: 00CB2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CB2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CB2A97

Strings

DISPLAY, xrefs: 00CB295A
msctls_progress32, xrefs: 00CB2A13
AutoIt v3, xrefs: 00CB28F8
static, xrefs: 00CB294F, 00CB2A71

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e88b14bc90707006d071f30873d501f79aba64d1b1a4810584c256af9406dcb4
Instruction ID: 9054f189cf9bb734ffd3f25c44ea9790bb842978c3331234f6bef34dcd8dea5b
Opcode Fuzzy Hash: e88b14bc90707006d071f30873d501f79aba64d1b1a4810584c256af9406dcb4
Instruction Fuzzy Hash: BFB14E75A10215AFEB14DFA9CC89FAE7BA9EB48710F004215F919E7290DB74ED40CBA4

Function 00CA4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA4AED
GetDriveTypeW.KERNEL32(?,00CCCB68,?,\\.\,00CCCC08), ref: 00CA4BCA
SetErrorMode.KERNEL32(00000000,00CCCB68,?,\\.\,00CCCC08), ref: 00CA4D36

Strings

SCSI, xrefs: 00CA4C8A
USB, xrefs: 00CA4CB4
SSD, xrefs: 00CA4C4A
ATA, xrefs: 00CA4C98
MMC, xrefs: 00CA4CDE
1394, xrefs: 00CA4C9F
ATAPI, xrefs: 00CA4C91
Network, xrefs: 00CA4C02
Fibre, xrefs: 00CA4CAD
Unknown, xrefs: 00CA4BED, 00CA4C83
RAID, xrefs: 00CA4CBB
SSA, xrefs: 00CA4CA6
iSCSI, xrefs: 00CA4CC2
CDROM, xrefs: 00CA4BFB
SAS, xrefs: 00CA4CC9
\\.\, xrefs: 00CA4B3F
PhysicalDrive, xrefs: 00CA4B76
FileBackedVirtual, xrefs: 00CA4CEC
Removable, xrefs: 00CA4C10, 00CA4C15
RAMDisk, xrefs: 00CA4BF4
Fixed, xrefs: 00CA4C09
SATA, xrefs: 00CA4CD0
Virtual, xrefs: 00CA4CE5

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c2d0d99a98d57218e1c1537e9d78431cae42350f317c0eb87aee2b5108af1d10
Instruction ID: cadd76c1e48a61d4bfff32810608a569ba8f43d407bbea03b51c8ed99cb24cfd
Opcode Fuzzy Hash: c2d0d99a98d57218e1c1537e9d78431cae42350f317c0eb87aee2b5108af1d10
Instruction Fuzzy Hash: EE61C43060520BDBCB4CDF25CA81D7C77B0EB8635CB248425F90AAB691DBB1DE41EB52

Function 00CC73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CC7421
SetTextColor.GDI32(?,?), ref: 00CC7425
GetSysColorBrush.USER32(0000000F), ref: 00CC743B
GetSysColor.USER32(0000000F), ref: 00CC7446
CreateSolidBrush.GDI32(?), ref: 00CC744B
GetSysColor.USER32(00000011), ref: 00CC7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CC7471
SelectObject.GDI32(?,00000000), ref: 00CC7482
SetBkColor.GDI32(?,00000000), ref: 00CC748B
SelectObject.GDI32(?,?), ref: 00CC7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00CC74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CC74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00CC74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CC752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CC7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00CC7572
DrawFocusRect.USER32(?,?), ref: 00CC757D
GetSysColor.USER32(00000011), ref: 00CC758E
SetTextColor.GDI32(?,00000000), ref: 00CC7596
DrawTextW.USER32(?,00CC70F5,000000FF,?,00000000), ref: 00CC75A8
SelectObject.GDI32(?,?), ref: 00CC75BF
DeleteObject.GDI32(?), ref: 00CC75CA
SelectObject.GDI32(?,?), ref: 00CC75D0
DeleteObject.GDI32(?), ref: 00CC75D5
SetTextColor.GDI32(?,?), ref: 00CC75DB
SetBkColor.GDI32(?,?), ref: 00CC75E5

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b6fcb763afe55e36d2d7f53680e1308782819a95f09f54b70a623bb466f3b255
Instruction ID: dd2ff192614e34f33b1cc0d4566f3db5828cc1d24cb62a813b1d31cba26d364e
Opcode Fuzzy Hash: b6fcb763afe55e36d2d7f53680e1308782819a95f09f54b70a623bb466f3b255
Instruction Fuzzy Hash: 23613B72904218AFDF019FA4DC89FEEBFB9EB08320F154215F915AB2A1D7759A40DF90

Function 00CC0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CC1128
GetDesktopWindow.USER32 ref: 00CC113D
GetWindowRect.USER32(00000000), ref: 00CC1144
GetWindowLongW.USER32(?,000000F0), ref: 00CC1199
DestroyWindow.USER32(?), ref: 00CC11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CC11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CC121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00CC1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00CC1245
IsWindowVisible.USER32(00000000), ref: 00CC12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00CC12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00CC12D0
GetWindowRect.USER32(00000000,?), ref: 00CC12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00CC130E
GetMonitorInfoW.USER32(00000000,?), ref: 00CC1328
CopyRect.USER32(?,?), ref: 00CC133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00CC13AA

Strings

(, xrefs: 00CC131B
tooltips_class32, xrefs: 00CC11E6
0, xrefs: 00CC10D3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 56f8a30a3e3c9f0a0535b36e05a32da034616b68eacd501ce1585f95a4f60f15
Instruction ID: 9f3d35d78ef0d77ec14900378caf231cb2d21ac72a189f33305bb5ddc2832f85
Opcode Fuzzy Hash: 56f8a30a3e3c9f0a0535b36e05a32da034616b68eacd501ce1585f95a4f60f15
Instruction Fuzzy Hash: E2B18871608341AFD710DF65C884F6EBBE4EF89314F04891CF9999B2A2C771E845DB92

Function 00C48891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C48968
GetSystemMetrics.USER32(00000007), ref: 00C48970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C4899B
GetSystemMetrics.USER32(00000008), ref: 00C489A3
GetSystemMetrics.USER32(00000004), ref: 00C489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C48A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C48A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C48A5A
GetStockObject.GDI32(00000011), ref: 00C48A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C48A81

Part of subcall function 00C4912D: GetCursorPos.USER32(?), ref: 00C49141
Part of subcall function 00C4912D: ScreenToClient.USER32(00000000,?), ref: 00C4915E
Part of subcall function 00C4912D: GetAsyncKeyState.USER32(00000001), ref: 00C49183
Part of subcall function 00C4912D: GetAsyncKeyState.USER32(00000002), ref: 00C4919D

SetTimer.USER32(00000000,00000000,00000028,00C490FC), ref: 00C48AA8

Strings

AutoIt v3 GUI, xrefs: 00C48A20

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 683ee98a772c8cd5a311f81a2ff9ee6bb3ed70eb5b68c7450c06bc11c0967e2c
Instruction ID: 4a6f14506e080131aad5e3064fc4186a79f556866b72c38f47c378dd709cb509
Opcode Fuzzy Hash: 683ee98a772c8cd5a311f81a2ff9ee6bb3ed70eb5b68c7450c06bc11c0967e2c
Instruction Fuzzy Hash: 94B17B35A00209AFDB14DFA8DC85FAE3BB5FB48314F104229FA19E7290DB74A941CF65

Function 00C90D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C91114
Part of subcall function 00C910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91120
Part of subcall function 00C910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C9112F
Part of subcall function 00C910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91136
Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C90DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C90E29
GetLengthSid.ADVAPI32(?), ref: 00C90E40
GetAce.ADVAPI32(?,00000000,?), ref: 00C90E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C90E96
GetLengthSid.ADVAPI32(?), ref: 00C90EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C90EB5
HeapAlloc.KERNEL32(00000000), ref: 00C90EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C90EDD
CopySid.ADVAPI32(00000000), ref: 00C90EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C90F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C90F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C90F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90F6E
HeapFree.KERNEL32(00000000), ref: 00C90F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90F7E
HeapFree.KERNEL32(00000000), ref: 00C90F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90F8E
HeapFree.KERNEL32(00000000), ref: 00C90F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00C90FA1
HeapFree.KERNEL32(00000000), ref: 00C90FA8

Part of subcall function 00C91193: GetProcessHeap.KERNEL32(00000008,00C90BB1,?,00000000,?,00C90BB1,?), ref: 00C911A1
Part of subcall function 00C91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C90BB1,?), ref: 00C911A8
Part of subcall function 00C91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C90BB1,?), ref: 00C911B7

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a6c3e9dbf80e52bd969c5749c62dd5df4bf75261c9fb003e23ef2aeddb67ddef
Instruction ID: c2e5371e303c79f073a1beab75f27eae9ee390506ecabe8d8fa281b0d4112f9e
Opcode Fuzzy Hash: a6c3e9dbf80e52bd969c5749c62dd5df4bf75261c9fb003e23ef2aeddb67ddef
Instruction Fuzzy Hash: 9F71597290020AAFDF20DFA5DC89FAEBBB8FF05301F244115F969A6191D731DA15CB60

Function 00CBC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CCCC08,00000000,?,00000000,?,?), ref: 00CBC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CBC5A4
_wcslen.LIBCMT ref: 00CBC5F4
_wcslen.LIBCMT ref: 00CBC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CBC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CBC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CBC84D
RegCloseKey.ADVAPI32(?), ref: 00CBC881
RegCloseKey.ADVAPI32(00000000), ref: 00CBC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CBC960

Strings

REG_QWORD, xrefs: 00CBC8C3
REG_MULTI_SZ, xrefs: 00CBC6F5
REG_DWORD, xrefs: 00CBC804
REG_BINARY, xrefs: 00CBC913
REG_SZ, xrefs: 00CBC644
REG_EXPAND_SZ, xrefs: 00CBC5CD

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 3a5fe882e1e4ba221648093526c9a76e2c783d170a8da4977232572d8cc9e41a
Instruction ID: e2134fb8216e4bd626afbe9d5d0bcf1c48ca0380f6b683c1a6f93e6c0e99bf09
Opcode Fuzzy Hash: 3a5fe882e1e4ba221648093526c9a76e2c783d170a8da4977232572d8cc9e41a
Instruction Fuzzy Hash: B21277756042019FDB24DF24C881F6AB7E5EF88714F04895DF89A9B3A2DB31ED41DB81

Function 00CC091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CC09C6
_wcslen.LIBCMT ref: 00CC0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC0A54
_wcslen.LIBCMT ref: 00CC0A8A
_wcslen.LIBCMT ref: 00CC0B06
_wcslen.LIBCMT ref: 00CC0B81

Part of subcall function 00C4F9F2: _wcslen.LIBCMT ref: 00C4F9FD

Part of subcall function 00C92BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C92BFA

Strings

GETTEXT, xrefs: 00CC0C97
COLLAPSE, xrefs: 00CC0B01, 00CC0B1C
SELECT, xrefs: 00CC0D11
ISCHECKED, xrefs: 00CC0CE1
CHECK, xrefs: 00CC0A85, 00CC0AA0
EXPAND, xrefs: 00CC0BF8
GETTOTALCOUNT, xrefs: 00CC09F2, 00CC0A17
EXISTS, xrefs: 00CC0B7C, 00CC0B97
GETSELECTED, xrefs: 00CC0C4E
GETITEMCOUNT, xrefs: 00CC0C1E
UNCHECK, xrefs: 00CC0D3E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 84f06513cb091a455e23d28e2d0b4d188075f3e19108142227ac2f8c38b26eff
Instruction ID: 11386db4f2bf1042fbfb3f3e11522feb4bab24b2255985b349f6569000074858
Opcode Fuzzy Hash: 84f06513cb091a455e23d28e2d0b4d188075f3e19108142227ac2f8c38b26eff
Instruction Fuzzy Hash: 86E17975208301DFCB14DF29C451A2AB7E1BF98314F25895CF8A69B3A2D731EE45DB82

Function 00CBC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
_wcslen.LIBCMT ref: 00CBC9F1
_wcslen.LIBCMT ref: 00CBCA68
_wcslen.LIBCMT ref: 00CBCA9E
_wcslen.LIBCMT ref: 00CBCAF9
_wcslen.LIBCMT ref: 00CBCB2F
_wcslen.LIBCMT ref: 00CBCB7F

Strings

HKEY_CURRENT_USER, xrefs: 00CBCBBD
HKCC, xrefs: 00CBCBAC
HKLM, xrefs: 00CBCA98, 00CBCA9D
HKU, xrefs: 00CBCBF0
HKEY_CURRENT_CONFIG, xrefs: 00CBCB79, 00CBCB7E
HKCU, xrefs: 00CBCBCE
HKCR, xrefs: 00CBCB29, 00CBCB2E
HKEY_LOCAL_MACHINE, xrefs: 00CBCA62, 00CBCA67
HKEY_CLASSES_ROOT, xrefs: 00CBCAF3, 00CBCAF8
HKEY_USERS, xrefs: 00CBCBDF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 469913f197a9500db99b9d9f723ebcc67d011b3e11173b4d4153ea324608358f
Instruction ID: 7cc5d0b57ea01649b4bdd3cc86bce7bf9af79095d20dfdcb05307527f8695374
Opcode Fuzzy Hash: 469913f197a9500db99b9d9f723ebcc67d011b3e11173b4d4153ea324608358f
Instruction Fuzzy Hash: 9871E53261012A8BCF20DF7DCDD16FF3795AB60754F250529FC66AB284E631CE85A3A1

Function 00CC833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CC835A
_wcslen.LIBCMT ref: 00CC836E
_wcslen.LIBCMT ref: 00CC8391
_wcslen.LIBCMT ref: 00CC83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CC83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CC361A,?), ref: 00CC844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CC8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CC84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CC8501
FreeLibrary.KERNEL32(?), ref: 00CC850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CC851D
DestroyIcon.USER32(?), ref: 00CC852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CC8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CC8555

Strings

.exe, xrefs: 00CC8388
.icl, xrefs: 00CC8368
.dll, xrefs: 00CC83AB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e3f6dc8ff0c469a3d13eff0e09aa687a833390c56e206ba7f5e5e11633c340d7
Instruction ID: 5203741b909b12f6caa056c8c2acaf1bd56b4c8d4ec01d5dd403a17e5ad23da0
Opcode Fuzzy Hash: e3f6dc8ff0c469a3d13eff0e09aa687a833390c56e206ba7f5e5e11633c340d7
Instruction Fuzzy Hash: D461D071940219BEEB18DF64CC81FBF77A8BB08711F10460AF925D60D1DBB4AA94DBA0

Function 00C37778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 00C7528C
#requireadmin, xrefs: 00C377FF
#pragma compile, xrefs: 00C377D3
", xrefs: 00C75153
#comments-start, xrefs: 00C3785F, 00C378B1
#include-once, xrefs: 00C3782F
#ce, xrefs: 00C378ED
#OnAutoItStartRegister, xrefs: 00C37817
#comments-end, xrefs: 00C378D9
', xrefs: 00C75169
#include, xrefs: 00C37847
Cannot parse #include, xrefs: 00C75279
#cs, xrefs: 00C37873, 00C378C5
Bad directive syntax error, xrefs: 00C7519A
#notrayicon, xrefs: 00C377E7

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f28ca60f362bcc937ffc896f19cac551737231da7f322cfcdb24c3035ea78c64
Instruction ID: 6a9f4a18636b5f8bd5a7f700428570c447515f378418e211d61a0fdf4723834c
Opcode Fuzzy Hash: f28ca60f362bcc937ffc896f19cac551737231da7f322cfcdb24c3035ea78c64
Instruction Fuzzy Hash: 5D81F7B1A14605BBDF21AF60CC43FAE37B9AF15300F044128F919BA192EBB0DA55D791

Function 00CA3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00CA3EF8
_wcslen.LIBCMT ref: 00CA3F03
_wcslen.LIBCMT ref: 00CA3F5A
_wcslen.LIBCMT ref: 00CA3F98
GetDriveTypeW.KERNEL32(?), ref: 00CA3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA4087

Strings

close cd wait, xrefs: 00CA4072
close, xrefs: 00CA3EFE, 00CA3F18
set cd door , xrefs: 00CA4028
closed, xrefs: 00CA3F08, 00CA3F2D, 00CA3F46, 00CA3F7E, 00CA3F97
open , xrefs: 00CA3FE5
wait, xrefs: 00CA4044
type cdaudio alias cd wait, xrefs: 00CA4001
open, xrefs: 00CA3F54, 00CA3F59

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: d391b67710b1b969cd68da86d2fe955d079292079957041ebcffb79aad172026
Instruction ID: 2cc481fdd57dd083008584df9fbf4af4c8025b46b57e72a1f35ad009c1276116
Opcode Fuzzy Hash: d391b67710b1b969cd68da86d2fe955d079292079957041ebcffb79aad172026
Instruction Fuzzy Hash: 737102726142029FC710EF24C89187EB7F4EF95758F10492DF9A6932A1EB30EE45DB92

Function 00C95A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C95A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C95A40
SetWindowTextW.USER32(?,?), ref: 00C95A57
GetDlgItem.USER32(?,000003EA), ref: 00C95A6C
SetWindowTextW.USER32(00000000,?), ref: 00C95A72
GetDlgItem.USER32(?,000003E9), ref: 00C95A82
SetWindowTextW.USER32(00000000,?), ref: 00C95A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C95AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C95AC3
GetWindowRect.USER32(?,?), ref: 00C95ACC
_wcslen.LIBCMT ref: 00C95B33
SetWindowTextW.USER32(?,?), ref: 00C95B6F
GetDesktopWindow.USER32 ref: 00C95B75
GetWindowRect.USER32(00000000), ref: 00C95B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C95BD3
GetClientRect.USER32(?,?), ref: 00C95BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C95C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C95C2F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6d05d8ee6bf140cb1e6eb764f78fb797a6547f909143821014949f402c5e4166
Instruction ID: a4f4cb3037d4bdb7504dd43a6886a1b979323dfeabe8da0e404999edffe53442
Opcode Fuzzy Hash: 6d05d8ee6bf140cb1e6eb764f78fb797a6547f909143821014949f402c5e4166
Instruction Fuzzy Hash: 26716A31900B09AFDF21DFA9CE89FAEBBF5FF48704F104518E596A25A0D775AA40CB50

Function 00CAFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00CAFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00CAFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00CAFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00CAFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00CAFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00CAFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00CAFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00CAFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00CAFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00CAFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00CAFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00CAFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00CAFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00CAFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00CAFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00CAFECC
GetCursorInfo.USER32(?), ref: 00CAFEDC
GetLastError.KERNEL32 ref: 00CAFF1E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 4cf43d7c8290e2657dd4c4aefb7f23c709008f6b02554eb86c07cf972f9c02a0
Instruction ID: cbc499ca9500d3a0e4751d30ff4de4fd323edc58e79fcc400a02bbabcbc89069
Opcode Fuzzy Hash: 4cf43d7c8290e2657dd4c4aefb7f23c709008f6b02554eb86c07cf972f9c02a0
Instruction Fuzzy Hash: F14151B0D0431A6EDB109FBA8C89D5EBFE8FF05354B54452AE11DE7281DB78A9018F91

Function 00C500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C500C6

Part of subcall function 00C500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D0070C,00000FA0,E4E34767,?,?,?,?,00C723B3,000000FF), ref: 00C5011C
Part of subcall function 00C500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C723B3,000000FF), ref: 00C50127
Part of subcall function 00C500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C723B3,000000FF), ref: 00C50138
Part of subcall function 00C500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C5014E
Part of subcall function 00C500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C5015C
Part of subcall function 00C500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C5016A
Part of subcall function 00C500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C50195
Part of subcall function 00C500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C501A0

___scrt_fastfail.LIBCMT ref: 00C500E7

Part of subcall function 00C500A3: __onexit.LIBCMT ref: 00C500A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C50122
InitializeConditionVariable, xrefs: 00C50148
WakeAllConditionVariable, xrefs: 00C50162
kernel32.dll, xrefs: 00C50133
SleepConditionVariableCS, xrefs: 00C50154

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 50fd9eee3b083fa8cbb3a74cb94fa06dbeeb8fc44ef2de8e4e689b1d8e4ac081
Instruction ID: 4f34280b2d806b6c25027bc8bcfbf1ab8989643a1ce79c7b09b5aa032a4d63d3
Opcode Fuzzy Hash: 50fd9eee3b083fa8cbb3a74cb94fa06dbeeb8fc44ef2de8e4e689b1d8e4ac081
Instruction Fuzzy Hash: 3B21F637A44B106FE7115F64EC46F6E3794EB44B62F24013EFC0AE22D1DF7498858AA9

Function 00C930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9318D
_wcslen.LIBCMT ref: 00C931F8

Strings

NAME, xrefs: 00C93335, 00C93346
CLASSNN, xrefs: 00C931F3, 00C93204
CLASS, xrefs: 00C93188, 00C931A5
REGEXPCLASS, xrefs: 00C93255, 00C93266
TEXT, xrefs: 00C9347C
INSTANCE, xrefs: 00C93453

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: d8f735499af96bb13076370ffe81d2b8986626fb3c2415605498672b0e7bb044
Instruction ID: 8a29a8d34c8af82206c5af37a696e839060b87af08869c0b0c46b5082daac922
Opcode Fuzzy Hash: d8f735499af96bb13076370ffe81d2b8986626fb3c2415605498672b0e7bb044
Instruction Fuzzy Hash: ABE11532A00556ABCF189FB8C8497FEFBB0BF44710F558129E966B7250DB30AF859790

Function 00CA44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00CCCC08), ref: 00CA4527
_wcslen.LIBCMT ref: 00CA453B
_wcslen.LIBCMT ref: 00CA4599
_wcslen.LIBCMT ref: 00CA45F4
_wcslen.LIBCMT ref: 00CA463F
_wcslen.LIBCMT ref: 00CA46A7

Part of subcall function 00C4F9F2: _wcslen.LIBCMT ref: 00C4F9FD

GetDriveTypeW.KERNEL32(?,00CF6BF0,00000061), ref: 00CA4743

Strings

ramdisk, xrefs: 00CA46F1
cdrom, xrefs: 00CA458F, 00CA4594
network, xrefs: 00CA469D, 00CA46A2
all, xrefs: 00CA4531, 00CA4536
unknown, xrefs: 00CA4708
fixed, xrefs: 00CA4635, 00CA463A
removable, xrefs: 00CA45EA, 00CA45EF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 692e3f0ae7898b6c794ca578b6d2d42687f533bd562fdd449951804b8f0580d4
Instruction ID: 2d6a901c19548e8eb16380eea132014eb7ecdf774c494a155e1f8fddc7d7480b
Opcode Fuzzy Hash: 692e3f0ae7898b6c794ca578b6d2d42687f533bd562fdd449951804b8f0580d4
Instruction Fuzzy Hash: 6EB101716083029FC718DF28C890A6EB7E5AFE6728F10491DF4A6C7291D7B0DA44CB52

Function 00CB3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CCCC08), ref: 00CB40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CB40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00CCCC08), ref: 00CB40F2
FreeLibrary.KERNEL32(00000000,?,00CCCC08), ref: 00CB413E
StringFromGUID2.OLE32(?,?,00000028,?,00CCCC08), ref: 00CB41A8
SysFreeString.OLEAUT32(00000009), ref: 00CB4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CB42C8
SysFreeString.OLEAUT32(?), ref: 00CB42F2

Strings

kernel32.dll, xrefs: 00CB40B6
GetModuleHandleExW, xrefs: 00CB40C7

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: c8bd07759afaa24fcade4976c849396509d7b56c9bf6d38b5ac4e224deaec622
Instruction ID: d6ca829cb8234db067a1b1c1e9f0610b7534433fab4a9874e47aa350568d50df
Opcode Fuzzy Hash: c8bd07759afaa24fcade4976c849396509d7b56c9bf6d38b5ac4e224deaec622
Instruction Fuzzy Hash: 4D125B71A04115EFDB18DF94C884EAEB7B9FF45314F248098E9199B252C731EE46CFA0

Function 00C3326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D01990), ref: 00C72F8D
GetMenuItemCount.USER32(00D01990), ref: 00C7303D
GetCursorPos.USER32(?), ref: 00C73081
SetForegroundWindow.USER32(00000000), ref: 00C7308A
TrackPopupMenuEx.USER32(00D01990,00000000,?,00000000,00000000,00000000), ref: 00C7309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C730A9

Strings

0, xrefs: 00C3327D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 86e1210e16a2be5542413234f31da9bfd8810f0fc3b377dd81d641aff786c6e3
Instruction ID: 7ac9067b95b6bc76d64000c9ebb7fc3ec99d50a7217f553951810b15d77947fb
Opcode Fuzzy Hash: 86e1210e16a2be5542413234f31da9bfd8810f0fc3b377dd81d641aff786c6e3
Instruction Fuzzy Hash: DC712A30644255BFEB219F65CC89F9ABF64FF04364F208216F52CAA1E1C7B1AE10E750

Function 00CC6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00CC6DEB

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CC6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CC6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC6E94
DestroyWindow.USER32(?), ref: 00CC6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C30000,00000000), ref: 00CC6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC6EFD
GetDesktopWindow.USER32 ref: 00CC6F16
GetWindowRect.USER32(00000000), ref: 00CC6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CC6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CC6F4D

Part of subcall function 00C49944: GetWindowLongW.USER32(?,000000EB), ref: 00C49952

Strings

0, xrefs: 00CC6D98
tooltips_class32, xrefs: 00CC6E58, 00CC6EDD

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c99b5b4ac5dd3bee9d8219a25d8ab36bd76fe9c489a7d56a5970c0d58103aad6
Instruction ID: 76ee9ebe49d5602eaa908c164c00e03a62e4af4289d5797065fa148244d38cbd
Opcode Fuzzy Hash: c99b5b4ac5dd3bee9d8219a25d8ab36bd76fe9c489a7d56a5970c0d58103aad6
Instruction Fuzzy Hash: 42715674104344AFDB21CF58D988FAABBE9FF89304F04041EF9A987261C770AA46DF11

Function 00CC911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

DragQueryPoint.SHELL32(?,?), ref: 00CC9147

Part of subcall function 00CC7674: ClientToScreen.USER32(?,?), ref: 00CC769A
Part of subcall function 00CC7674: GetWindowRect.USER32(?,?), ref: 00CC7710
Part of subcall function 00CC7674: PtInRect.USER32(?,?,00CC8B89), ref: 00CC7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00CC91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CC91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CC91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CC9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00CC923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CC9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00CC9277
DragFinish.SHELL32(?), ref: 00CC927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CC9371

Strings

@GUI_DRAGID, xrefs: 00CC92E9
@GUI_DRAGFILE, xrefs: 00CC9320
@GUI_DROPID, xrefs: 00CC929E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 7c011850c6b0d6f1f58ee4c0b1f87c4eef0cf093adb5cffc5ef7bda533026bb0
Instruction ID: 020658d3686902dbb057d85b468db9b898940ee03f963e76476b107bc2069cb5
Opcode Fuzzy Hash: 7c011850c6b0d6f1f58ee4c0b1f87c4eef0cf093adb5cffc5ef7bda533026bb0
Instruction Fuzzy Hash: E6614B71108301AFD705DF64DC89EAFBBE8EF89750F00092EF595932A1DB709A49DB62

Function 00CAC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CAC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CAC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CAC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CAC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00CAC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CAC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CAC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CAC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CAC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CAC5F0
InternetCloseHandle.WININET(00000000), ref: 00CAC5FB

Strings

, xrefs: 00CAC575

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 6bc194396b1d907f85e3dac418b55320342b7ef98b0fb36b07d7345bf54ba828
Instruction ID: e89be8476363def0bf6cc2548e9988027c9a9a1bcc68e3ecbe9994ad5bf2dc87
Opcode Fuzzy Hash: 6bc194396b1d907f85e3dac418b55320342b7ef98b0fb36b07d7345bf54ba828
Instruction Fuzzy Hash: E9513BB1500606BFDB219F65C9C8BAA7BFCEF09758F004419F95AD6610DB34EA44AB60

Function 00CC856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CC8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00CC85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CC85AD
CloseHandle.KERNEL32(00000000), ref: 00CC85BA
GlobalLock.KERNEL32(00000000), ref: 00CC85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CC85D7
GlobalUnlock.KERNEL32(00000000), ref: 00CC85E0
CloseHandle.KERNEL32(00000000), ref: 00CC85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CC85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CCFC38,?), ref: 00CC8611
GlobalFree.KERNEL32(00000000), ref: 00CC8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00CC8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CC8671
DeleteObject.GDI32(00000000), ref: 00CC8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CC86AF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0a385d8aac2545fda91704f6cbc65997a9e2a1d337947c049f7a70ac2631d049
Instruction ID: cf242096906c706a3e61995bfd5c5b7ecd9ae719addf02f72892983c59729dd8
Opcode Fuzzy Hash: 0a385d8aac2545fda91704f6cbc65997a9e2a1d337947c049f7a70ac2631d049
Instruction Fuzzy Hash: ED41F975600204AFDB119FA5DC88FAF7BB8FF89B11F144059F919E7260DB709A05DB60

Function 00CA14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00CA1502
VariantCopy.OLEAUT32(?,?), ref: 00CA150B
VariantClear.OLEAUT32(?), ref: 00CA1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CA15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00CA1657
VariantInit.OLEAUT32(?), ref: 00CA1708
SysFreeString.OLEAUT32(?), ref: 00CA178C
VariantClear.OLEAUT32(?), ref: 00CA17D8
VariantClear.OLEAUT32(?), ref: 00CA17E7
VariantInit.OLEAUT32(00000000), ref: 00CA1823

Strings

Default, xrefs: 00CA16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00CA1625

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a383ba8f1b3d8cd37c47c96d85e79eaa2009eafc04e1edcd24dfe9de0cf6f74d
Instruction ID: 7b9ced0b221c57a45316895c3523fbe373e255a57bbfd81c88b8adcc7e02c802
Opcode Fuzzy Hash: a383ba8f1b3d8cd37c47c96d85e79eaa2009eafc04e1edcd24dfe9de0cf6f74d
Instruction Fuzzy Hash: 5CD10131E0051AEBDB00DFA6D895B7DB7B5BF46708F18805AF846AB190DB30DD41EB61

Function 00CBB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00CBB80A
RegCloseKey.ADVAPI32(?), ref: 00CBB87E
RegCloseKey.ADVAPI32(?), ref: 00CBB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00CBB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CBB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00CBB922
FreeLibrary.KERNEL32(00000000), ref: 00CBB983
RegCloseKey.ADVAPI32(00000000), ref: 00CBB994

Strings

advapi32.dll, xrefs: 00CBB8ED
RegDeleteKeyExW, xrefs: 00CBB8FE

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 318225d550eeb26c653eb313d1cd9f9bc2381ecac485b89361b1496e7e72a52f
Instruction ID: dea2e48b0fc18eff5d1116de37f29b419ae7b366078786e1134f2868f2b146ab
Opcode Fuzzy Hash: 318225d550eeb26c653eb313d1cd9f9bc2381ecac485b89361b1496e7e72a52f
Instruction Fuzzy Hash: F4C1AE34608201AFD714DF14C494F6ABBE5FF84318F14859CF4AA9B2A2CBB1ED45CB91

Function 00CB255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CB25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CB25E8
CreateCompatibleDC.GDI32(?), ref: 00CB25F4
SelectObject.GDI32(00000000,?), ref: 00CB2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CB266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CB26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CB26D0
SelectObject.GDI32(?,?), ref: 00CB26D8
DeleteObject.GDI32(?), ref: 00CB26E1
DeleteDC.GDI32(?), ref: 00CB26E8
ReleaseDC.USER32(00000000,?), ref: 00CB26F3

Strings

(, xrefs: 00CB268D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4fef38e3d3d77a6696798433e55e6efa7cd0f1280e4181f16351cbc42de313a3
Instruction ID: 13bb2c5c1c8ac15d1ae0df3bb9c554352918d6b23bee1783ee62439b74e455df
Opcode Fuzzy Hash: 4fef38e3d3d77a6696798433e55e6efa7cd0f1280e4181f16351cbc42de313a3
Instruction Fuzzy Hash: 6D61D1B5D00219EFCF14CFA8D984EAEBBB5FF48310F248529E959A7250D770A941DFA0

Function 00C6DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C6DAA1

Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D659
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D66B
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D67D
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D68F
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6A1
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6B3
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6C5
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6D7
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6E9
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6FB
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D70D
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D71F
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D731

_free.LIBCMT ref: 00C6DA96

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6DAB8
_free.LIBCMT ref: 00C6DACD
_free.LIBCMT ref: 00C6DAD8
_free.LIBCMT ref: 00C6DAFA
_free.LIBCMT ref: 00C6DB0D
_free.LIBCMT ref: 00C6DB1B
_free.LIBCMT ref: 00C6DB26
_free.LIBCMT ref: 00C6DB5E
_free.LIBCMT ref: 00C6DB65
_free.LIBCMT ref: 00C6DB82
_free.LIBCMT ref: 00C6DB9A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 69b0585546c20d49acd7797c7c64bea47a01e4082ea58973f12c7821f2699c85
Instruction ID: eee826972668ecf58427a70fe00f56ad8562f28018b539670f61034a27e73efc
Opcode Fuzzy Hash: 69b0585546c20d49acd7797c7c64bea47a01e4082ea58973f12c7821f2699c85
Instruction Fuzzy Hash: EC315A31B086049FEB35AA79E8C5B6A77E9FF80350F154419F46AD7192DA30AE80A720

Function 00C9365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C9369C
_wcslen.LIBCMT ref: 00C936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C93797
GetClassNameW.USER32(?,?,00000400), ref: 00C9380C
GetDlgCtrlID.USER32(?), ref: 00C9385D
GetWindowRect.USER32(?,?), ref: 00C93882
GetParent.USER32(?), ref: 00C938A0
ScreenToClient.USER32(00000000), ref: 00C938A7
GetClassNameW.USER32(?,?,00000100), ref: 00C93921
GetWindowTextW.USER32(?,?,00000400), ref: 00C9395D

Strings

%s%u, xrefs: 00C93734

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 5489698e083e11d5df696405c052089069ebe4c4657c4f65823a93b246f4d3d2
Instruction ID: 2c22fd02838c459ebb0cadc7b9b70d132df8d93048b011bce977b9986c14faf9
Opcode Fuzzy Hash: 5489698e083e11d5df696405c052089069ebe4c4657c4f65823a93b246f4d3d2
Instruction Fuzzy Hash: 3691D371204746AFDB19DF64C889FAAF7A8FF44350F008629F9A9C2190DB30EB55CB91

Function 00C94954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C94994
GetWindowTextW.USER32(?,?,00000400), ref: 00C949DA
_wcslen.LIBCMT ref: 00C949EB
CharUpperBuffW.USER32(?,00000000), ref: 00C949F7
_wcsstr.LIBVCRUNTIME ref: 00C94A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C94A64
GetWindowTextW.USER32(?,?,00000400), ref: 00C94A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C94AE6
GetClassNameW.USER32(?,?,00000400), ref: 00C94B20
GetWindowRect.USER32(?,?), ref: 00C94B8B

Strings

ThumbnailClass, xrefs: 00C94A6F, 00C94AF1

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a827a6d108dca4ebeedd8323c92b8d5f57306076eeec27cff4b5111569f3e134
Instruction ID: d3ea08fc8d8905f28c6b9fdf1ce2bed39dcea3660af7ad3d028d49678c9ddc0c
Opcode Fuzzy Hash: a827a6d108dca4ebeedd8323c92b8d5f57306076eeec27cff4b5111569f3e134
Instruction Fuzzy Hash: A991C0711082059FDF08DF14C989FAA77E8FF84315F048469FD999A196EB30EE46CBA1

Function 00C9BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00D01990,000000FF,00000000,00000030), ref: 00C9BFAC
SetMenuItemInfoW.USER32(00D01990,00000004,00000000,00000030), ref: 00C9BFE1
Sleep.KERNEL32(000001F4), ref: 00C9BFF3
GetMenuItemCount.USER32(?), ref: 00C9C039
GetMenuItemID.USER32(?,00000000), ref: 00C9C056
GetMenuItemID.USER32(?,-00000001), ref: 00C9C082
GetMenuItemID.USER32(?,?), ref: 00C9C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C9C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C9C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C9C145

Strings

0, xrefs: 00C9BF3D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: adf574502c489a7cc082b756855320d946d43659ec5e82e02f2d4e51b2f7d9e9
Instruction ID: 524f10aaedc03b00bcfdcc33144a1277458854515f79be525dc8ab134131631f
Opcode Fuzzy Hash: adf574502c489a7cc082b756855320d946d43659ec5e82e02f2d4e51b2f7d9e9
Instruction Fuzzy Hash: 4A617AB090024AAFDF11CF68DDCCFAEBBB8EB05344F144159E825A3292D735AE55DB60

Function 00CBCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CBCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CBCD48

Part of subcall function 00CBCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CBCCAA
Part of subcall function 00CBCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CBCCBD
Part of subcall function 00CBCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CBCCCF
Part of subcall function 00CBCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CBCD05
Part of subcall function 00CBCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CBCCF3

Strings

advapi32.dll, xrefs: 00CBCCB8
RegDeleteKeyExW, xrefs: 00CBCCC9

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 0a27f74ed5ca1acf784a192a1f7f61246ce1243d7057fd34cd188f1d91985056
Instruction ID: fa53cd59e5fe6d5e09fdb61b7fa5e5f35d0438a2175404b85d78debcab95fb4e
Opcode Fuzzy Hash: 0a27f74ed5ca1acf784a192a1f7f61246ce1243d7057fd34cd188f1d91985056
Instruction Fuzzy Hash: 9E316C75901129BBDB208B65DCC8FFFBB7CEF55750F000169E91AE3240DB349B45AAA0

Function 00CA3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CA3D40
_wcslen.LIBCMT ref: 00CA3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CA3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CA3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00CA3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CA3E55
CloseHandle.KERNEL32(00000000), ref: 00CA3E60
CloseHandle.KERNEL32(00000000), ref: 00CA3E6B

Strings

:, xrefs: 00CA3D82
\, xrefs: 00CA3D77
\??\%s, xrefs: 00CA3D5B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b7cb6275d13ac094cd05c5886aa317f173aef6f78bbb8084d52b48f6b9f8af06
Instruction ID: 191030bef1034a2b00bca88ae3a3e879205918733d48a1de4849519280b12f78
Opcode Fuzzy Hash: b7cb6275d13ac094cd05c5886aa317f173aef6f78bbb8084d52b48f6b9f8af06
Instruction Fuzzy Hash: E731D27291024AABDB219FA0DC89FEF37BCEF89754F1040B5F919D2060E77497848B24

Function 00C9E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C9E6B4

Part of subcall function 00C4E551: timeGetTime.WINMM(?,?,00C9E6D4), ref: 00C4E555

Sleep.KERNEL32(0000000A), ref: 00C9E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C9E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C9E727
SetActiveWindow.USER32 ref: 00C9E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C9E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C9E773
Sleep.KERNEL32(000000FA), ref: 00C9E77E
IsWindow.USER32 ref: 00C9E78A
EndDialog.USER32(00000000), ref: 00C9E79B

Strings

BUTTON, xrefs: 00C9E719

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: bda0b6f8ea20c0f329bf1c20de3bd84b8f56ace7ad2b28b33bc27b1c9626d15b
Instruction ID: cd45e4e5db4f20501300cf2bd5c0f00cf099a4ee16faca958c57f6017ba471b9
Opcode Fuzzy Hash: bda0b6f8ea20c0f329bf1c20de3bd84b8f56ace7ad2b28b33bc27b1c9626d15b
Instruction Fuzzy Hash: D7215EB0200345AFEF00AFA1EDCEF3A3B69F764749B540425F519C26A1DB72AD50EB25

Function 00C9E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C9EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C9EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C9EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C9EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C9EAA7

Strings

play PlayMe, xrefs: 00C9EAA2
close PlayMe, xrefs: 00C9EA6E, 00C9EA9B
open , xrefs: 00C9EA0C
play PlayMe wait, xrefs: 00C9EA91
alias PlayMe, xrefs: 00C9EA36
status PlayMe mode, xrefs: 00C9EA58

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b0420acd62008288cd3a8114bdadffc6833249f7c288e4369043f81bbc57c348
Instruction ID: b2ad9aa8846fdd925e87f0fb17bae494919ba5015bcf1951e1d8e3d5fa05e3b5
Opcode Fuzzy Hash: b0420acd62008288cd3a8114bdadffc6833249f7c288e4369043f81bbc57c348
Instruction Fuzzy Hash: BE117731AA026D79DB50E762DC4AEFF6A7CEBD1B00F400439B511A20E1DEB05E05D6B1

Function 00C99F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C9A012
SetKeyboardState.USER32(?), ref: 00C9A07D
GetAsyncKeyState.USER32(000000A0), ref: 00C9A09D
GetKeyState.USER32(000000A0), ref: 00C9A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00C9A0E3
GetKeyState.USER32(000000A1), ref: 00C9A0F4
GetAsyncKeyState.USER32(00000011), ref: 00C9A120
GetKeyState.USER32(00000011), ref: 00C9A12E
GetAsyncKeyState.USER32(00000012), ref: 00C9A157
GetKeyState.USER32(00000012), ref: 00C9A165
GetAsyncKeyState.USER32(0000005B), ref: 00C9A18E
GetKeyState.USER32(0000005B), ref: 00C9A19C

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b366e4bff0fc7244a7be8572f4052602e90943ba67cb65f51dfecfc2688587f7
Instruction ID: 9383fb1b77909d0b3abae8524fe02377186379651d4ac595a565f011c3787643
Opcode Fuzzy Hash: b366e4bff0fc7244a7be8572f4052602e90943ba67cb65f51dfecfc2688587f7
Instruction Fuzzy Hash: 0451F9309047886AFF35DBA489197EEFFB49F12380F08859DD5D2571C2DA64AB4CC7A2

Function 00C95CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C95CE2
GetWindowRect.USER32(00000000,?), ref: 00C95CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C95D59
GetDlgItem.USER32(?,00000002), ref: 00C95D69
GetWindowRect.USER32(00000000,?), ref: 00C95D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C95DCF
GetDlgItem.USER32(?,000003E9), ref: 00C95DDD
GetWindowRect.USER32(00000000,?), ref: 00C95DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C95E31
GetDlgItem.USER32(?,000003EA), ref: 00C95E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C95E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C95E67

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a23af6f11acb98a5cb3107af1085130223c962fe5c48dcbea3d05fdc62233a81
Instruction ID: a23b49855374f0905aaa96abb56373b5d90a5e6a033e6d938e86348b6a4df9eb
Opcode Fuzzy Hash: a23af6f11acb98a5cb3107af1085130223c962fe5c48dcbea3d05fdc62233a81
Instruction Fuzzy Hash: B351FDB1A00605AFDF19CF68DE89FAEBBB5FB48300F148129F519E6690D7709E04CB50

Function 00C48BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C48BE8,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C48FC5

DestroyWindow.USER32(?), ref: 00C48C81
KillTimer.USER32(00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C48D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00C86973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C48BBA,00000000), ref: 00C869D4
DeleteObject.GDI32(00000000), ref: 00C869E6

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: a8a17af914abd0d5fb7a0cdd059017995ac58551be6789ea833d69045c0d250d
Instruction ID: 197ab7981988fb35f231a276bf5f0e51a5e27fa3eb40c9d25cca7fc4bd757ba5
Opcode Fuzzy Hash: a8a17af914abd0d5fb7a0cdd059017995ac58551be6789ea833d69045c0d250d
Instruction Fuzzy Hash: AC618C34902710DFDB25EF15D988B2D77F1FB44316F144518E0669BAA0CB35AE88DFA4

Function 00C49838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C49944: GetWindowLongW.USER32(?,000000EB), ref: 00C49952

GetSysColor.USER32(0000000F), ref: 00C49862

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4b4fc46e203b179a77553062c7493be83bcbc1587173817401f89a0215a93042
Instruction ID: 13fd49a9aabe7521d9e8e1066f1cdb4b776158fa37e8f11ffe84157187769deb
Opcode Fuzzy Hash: 4b4fc46e203b179a77553062c7493be83bcbc1587173817401f89a0215a93042
Instruction Fuzzy Hash: 91417C31504660AFDB209B3DDC88BBA3BA5FB56334F284615FAB6872E1D7319942DB10

Function 00C996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C99717
LoadStringW.USER32(00000000,?,00C7F7F8,00000001), ref: 00C99720

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C99742
LoadStringW.USER32(00000000,?,00C7F7F8,00000001), ref: 00C99745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C99866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C9984A
^ ERROR, xrefs: 00C997FB
Line %d (File "%s"):, xrefs: 00C9978F
Line %d:, xrefs: 00C997A0
Error: , xrefs: 00C9981D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 23c023c50eb66bef9d46d1a1da17cb0e511615602d56a40368edea724616a990
Instruction ID: 2c87e68857936f1da04da4370a909305c679038d0069cbe799e4a015b0a1a53b
Opcode Fuzzy Hash: 23c023c50eb66bef9d46d1a1da17cb0e511615602d56a40368edea724616a990
Instruction Fuzzy Hash: D5414D72800209AACF04FBE4DD86EEEB778EF55340F104069F605720A2EA756F49EB61

Function 00C906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C90804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C9082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C90837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C9083C

Strings

SOFTWARE\Classes\, xrefs: 00C9070E
\IPC$, xrefs: 00C90784
\CLSID, xrefs: 00C90724

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4bcb7dd266ccbb47a800759242efbc356388b1cc36e988fd23d35f601107329e
Instruction ID: 7dedc0959c869c83bd11def9ffcc31dc4da1d9d5cf92b4523f1aafcb38fa028c
Opcode Fuzzy Hash: 4bcb7dd266ccbb47a800759242efbc356388b1cc36e988fd23d35f601107329e
Instruction Fuzzy Hash: 1B411572C10229AFCF15EBA4DC89DEDB7B8FF44350F144129E915A31A0EB709E05DBA0

Function 00CC3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CC403B
CreateCompatibleDC.GDI32(00000000), ref: 00CC4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CC4055
SelectObject.GDI32(00000000,00000000), ref: 00CC405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CC4068
DeleteDC.GDI32(00000000), ref: 00CC4072
GetWindowLongW.USER32(?,000000EC), ref: 00CC407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00CC4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00CC409E

Strings

static, xrefs: 00CC3FD3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: e3358f7333036c9afd190d51f366eb1866b6b758698611316ee374a513064557
Instruction ID: 432f7f510a131006598d80f5f9b2aef46a974dda496ccd15d66cb75ef7b709d4
Opcode Fuzzy Hash: e3358f7333036c9afd190d51f366eb1866b6b758698611316ee374a513064557
Instruction Fuzzy Hash: B4317A32540219ABDF219FA8DC49FDE3BA8FF0D320F004219FA29E61A0C775D951DBA0

Function 00CB3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB3C5C
CoInitialize.OLE32(00000000), ref: 00CB3C8A
CoUninitialize.OLE32 ref: 00CB3C94
_wcslen.LIBCMT ref: 00CB3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00CB3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CB3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CB3F0E
CoGetObject.OLE32(?,00000000,00CCFB98,?), ref: 00CB3F2D
SetErrorMode.KERNEL32(00000000), ref: 00CB3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CB3FC4
VariantClear.OLEAUT32(?), ref: 00CB3FD8

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: f1a7e4330351e7c5705c123fb1cfe3e17fbb1d9379a5d12bf4d77846513c18be
Instruction ID: 7082f2b46015d4fd7cf0acfeaf525fbc880c67e9030293b1d5b7908681b7e5f9
Opcode Fuzzy Hash: f1a7e4330351e7c5705c123fb1cfe3e17fbb1d9379a5d12bf4d77846513c18be
Instruction Fuzzy Hash: EEC15571608341AFC700DF69C884A6BBBE9FF89748F10495DF98A9B250DB30EE45CB52

Function 00CA7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CA7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CA7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00CA7BA3
CoCreateInstance.OLE32(00CCFD08,00000000,00000001,00CF6E6C,?), ref: 00CA7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CA7C74
CoTaskMemFree.OLE32(?,?), ref: 00CA7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00CA7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CA7D7A
CoTaskMemFree.OLE32(00000000), ref: 00CA7D81
CoTaskMemFree.OLE32(00000000), ref: 00CA7DD6
CoUninitialize.OLE32 ref: 00CA7DDC

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 3cb58c310fe8631e1efc408e67cf67cd613ee96d574a973e82332ef0cb577e0c
Instruction ID: be05cf0ff53d5009b44717256cfc1eef7ce8effdd2602c997b484ce3e306c38e
Opcode Fuzzy Hash: 3cb58c310fe8631e1efc408e67cf67cd613ee96d574a973e82332ef0cb577e0c
Instruction Fuzzy Hash: C1C11C75A04109AFCB14DF64C888DAEBBF9FF49318F148599F81A9B261D730EE45CB90

Function 00CC541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CC5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC5515
CharNextW.USER32(00000158), ref: 00CC5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CC5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CC559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC55AC

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 370f9ace6715d5b4ba07ea41870ef632ceed845b31aa95bb6915256223218a05
Instruction ID: 791242672ea3dd2d79083ade72438c1886f6ad25b1d93a92edfdfec76b46ebb3
Opcode Fuzzy Hash: 370f9ace6715d5b4ba07ea41870ef632ceed845b31aa95bb6915256223218a05
Instruction Fuzzy Hash: 96616C75904608AFDF10DF95CC84FFE7BB9EB09720F108189F925AA291D774AAC1DB60

Function 00C8FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C8FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00C8FB08
VariantInit.OLEAUT32(?), ref: 00C8FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C8FB3A
VariantCopy.OLEAUT32(?,?), ref: 00C8FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C8FBA1
VariantClear.OLEAUT32(?), ref: 00C8FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C8FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C8FBCC
VariantClear.OLEAUT32(?), ref: 00C8FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C8FBE9

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 4f6d7a007e31443de754eb99929acc1709b308507a85de97343dac3f75e906f7
Instruction ID: 2d3dd3619af9f18c677900395bd8292e46f6b251ed13a8b97f3cc6642f441600
Opcode Fuzzy Hash: 4f6d7a007e31443de754eb99929acc1709b308507a85de97343dac3f75e906f7
Instruction Fuzzy Hash: 50414235A002199FCB04EF64D898EFEBBB9FF48354F008069E955A7261D730AA46DF94

Function 00C99C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C99CA1
GetAsyncKeyState.USER32(000000A0), ref: 00C99D22
GetKeyState.USER32(000000A0), ref: 00C99D3D
GetAsyncKeyState.USER32(000000A1), ref: 00C99D57
GetKeyState.USER32(000000A1), ref: 00C99D6C
GetAsyncKeyState.USER32(00000011), ref: 00C99D84
GetKeyState.USER32(00000011), ref: 00C99D96
GetAsyncKeyState.USER32(00000012), ref: 00C99DAE
GetKeyState.USER32(00000012), ref: 00C99DC0
GetAsyncKeyState.USER32(0000005B), ref: 00C99DD8
GetKeyState.USER32(0000005B), ref: 00C99DEA

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1c74b527f0d64dcb9cb84e5920d708db85869799362a3462838b7aa914086f2c
Instruction ID: 634897ceb85ba9b3a9bbaf558ab7f8a794f2690b2476d20536f68626460cf8cf
Opcode Fuzzy Hash: 1c74b527f0d64dcb9cb84e5920d708db85869799362a3462838b7aa914086f2c
Instruction Fuzzy Hash: 6941A6345047C969FF319668C88C7B5BEA0EF12344F08805EDAD6565C2EBB59BC8C7A2

Function 00CB055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CB05BC
inet_addr.WSOCK32(?), ref: 00CB061C
gethostbyname.WSOCK32(?), ref: 00CB0628
IcmpCreateFile.IPHLPAPI ref: 00CB0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00CB07B9
WSACleanup.WSOCK32 ref: 00CB07BF

Strings

Ping, xrefs: 00CB0676

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 67876c55e09e10249ef77e4b3c68f54f8a5253353d2d30da0b1997e6d4fa382f
Instruction ID: ea73bba154a684358a0c7821facedc9d554d8750ce115a07785215523e52cd48
Opcode Fuzzy Hash: 67876c55e09e10249ef77e4b3c68f54f8a5253353d2d30da0b1997e6d4fa382f
Instruction Fuzzy Hash: 25916B756082019FD720DF15C888F5BBBE4BF48318F2485A9F46A9B6A2CB30ED45CF91

Function 00CB8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00CB8CF3

Part of subcall function 00C98E54: _wcslen.LIBCMT ref: 00C98E77

_wcslen.LIBCMT ref: 00CB8D4E
_wcslen.LIBCMT ref: 00CB8D9C
_wcslen.LIBCMT ref: 00CB8DDC
_wcslen.LIBCMT ref: 00CB8E6E

Strings

none, xrefs: 00CB8E65, 00CB8E6A
cdecl, xrefs: 00CB8D48, 00CB8D4D
winapi, xrefs: 00CB8D96, 00CB8D9B
stdcall, xrefs: 00CB8DD6, 00CB8DDB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: e53d062c54ed02d39b28b2ce7daee1ad639489be196a9b5e339a62368e197141
Instruction ID: ec01d7a3cd890be0ceef6f94f7070bce1e275f99bce6a199d0b1eceede1035fd
Opcode Fuzzy Hash: e53d062c54ed02d39b28b2ce7daee1ad639489be196a9b5e339a62368e197141
Instruction Fuzzy Hash: 0851AE35A041179BCF24DF68C9419FEB7A9BF65724F20422AE826E72C4DB30DE48D790

Function 00CB372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00CB3774
CoUninitialize.OLE32 ref: 00CB377F
CoCreateInstance.OLE32(?,00000000,00000017,00CCFB78,?), ref: 00CB37D9
IIDFromString.OLE32(?,?), ref: 00CB384C
VariantInit.OLEAUT32(?), ref: 00CB38E4
VariantClear.OLEAUT32(?), ref: 00CB3936

Strings

NULL Pointer assignment, xrefs: 00CB381E
Invalid parameter, xrefs: 00CB3865
Failed to create object, xrefs: 00CB37E4, 00CB389A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f52c27187bdda15b9198c51dd9a1e9b1eb06d3e4ef86ee88483b1d369e7060b9
Instruction ID: 97a6344da60d176cca4b5b50050bafdf9f5eb1540332937f411beb00b3b5b348
Opcode Fuzzy Hash: f52c27187bdda15b9198c51dd9a1e9b1eb06d3e4ef86ee88483b1d369e7060b9
Instruction Fuzzy Hash: 1461CF70608351AFD710DF55C888FAABBE8EF48714F10491EF9959B291DB70EE48CB92

Function 00CA3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00CA33CF

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CA33F0

Strings

Line %d (File "%s"):, xrefs: 00CA3443, 00CA345C
"%s" (%d) : ==> %s:, xrefs: 00CA3522
Error: , xrefs: 00CA34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00CA3504
Incorrect parameters to object property !, xrefs: 00CA34AB
^ ERROR , xrefs: 00CA349E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 442f52b83d57a283845c124303d6faf8170c369a0c3dbe683fcb5ffd50a2c934
Instruction ID: 3d073f2e510d12db7d98bfcb40ea612764e75f56e83c53f0275d3d3639323d2f
Opcode Fuzzy Hash: 442f52b83d57a283845c124303d6faf8170c369a0c3dbe683fcb5ffd50a2c934
Instruction Fuzzy Hash: FB518B7190024AAADF15EBE0CD56EEEB778EF05340F104065F509B21A2EB712F58EB61

Function 00C9B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C9B5FC
_wcslen.LIBCMT ref: 00C9B608
_wcslen.LIBCMT ref: 00C9B64D
_wcslen.LIBCMT ref: 00C9B68C
_wcslen.LIBCMT ref: 00C9B6C7

Strings

REMOVE, xrefs: 00C9B602, 00C9B607
EXISTS, xrefs: 00C9B686, 00C9B68B
KEYS, xrefs: 00C9B647, 00C9B64C
APPEND, xrefs: 00C9B6C1, 00C9B6C6

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 52d64da1318188823130da9290ccdf7878160d2eb55dfdf8530628708b423e35
Instruction ID: 57f28d40c7966128c90c2e92c8754c11667e633b54f50be273618750fd6b6036
Opcode Fuzzy Hash: 52d64da1318188823130da9290ccdf7878160d2eb55dfdf8530628708b423e35
Instruction Fuzzy Hash: BA41E632A00026AACF146F7DDA955BEB7B5AFA0754B244229F435D7284E731EE81C790

Function 00CA5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CA5416
GetLastError.KERNEL32 ref: 00CA5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00CA54A7

Strings

INVALID, xrefs: 00CA5459
READY, xrefs: 00CA5460, 00CA5468
READONLY, xrefs: 00CA5452
NOTREADY, xrefs: 00CA544B
UNKNOWN, xrefs: 00CA5444

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4aa4d0da5c2feb1ed8adeef05baa8c87cdda347e6ebdd5f26311daea850380d7
Instruction ID: 2484d8b41de93cde7e0d3760b48d266e907f163913f96ed06dcdbafd7f634a81
Opcode Fuzzy Hash: 4aa4d0da5c2feb1ed8adeef05baa8c87cdda347e6ebdd5f26311daea850380d7
Instruction Fuzzy Hash: FD31D275A0060A9FCB10DF69C484FAE7BB4EF1A309F18C065E515DB292D770DE82CB91

Function 00CC3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00CC3C79
SetMenu.USER32(?,00000000), ref: 00CC3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC3D10
IsMenu.USER32(?), ref: 00CC3D24
CreatePopupMenu.USER32 ref: 00CC3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC3D5B
DrawMenuBar.USER32 ref: 00CC3D63

Strings

0, xrefs: 00CC3C54
F, xrefs: 00CC3D4E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b0e2b1b99f2dda3268184ab3cada5d7abee60550113e3c187200b861f607123e
Instruction ID: 7a7539688dc4c70ee8a78f37cc5ed0e22eb297ae08912d25ca9309f1287f6995
Opcode Fuzzy Hash: b0e2b1b99f2dda3268184ab3cada5d7abee60550113e3c187200b861f607123e
Instruction Fuzzy Hash: 63414879A11209AFDB14CF64E888FAA7BB5FF49350F14402DF95AA7360D730AA10DF94

Function 00C91EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C91F64
GetDlgCtrlID.USER32 ref: 00C91F6F
GetParent.USER32 ref: 00C91F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C91F8E
GetDlgCtrlID.USER32(?), ref: 00C91F97
GetParent.USER32(?), ref: 00C91FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C91FAE

Strings

ComboBox, xrefs: 00C91EEC
ListBox, xrefs: 00C91F21

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ef22336fff6a66b70e9404ce9c7c6b1a0b9125cf989537849a84ef898694d849
Instruction ID: c40358af39ccde74ba1cb4fc16fd58bf777901f439eda89ff8f1c6a13e5c92bf
Opcode Fuzzy Hash: ef22336fff6a66b70e9404ce9c7c6b1a0b9125cf989537849a84ef898694d849
Instruction Fuzzy Hash: 8521D470A00218BBCF05AFA0DC89EFEBBB8EF05350F000115FA65A72D1CB755905DB60

Function 00C91FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00C92043
GetDlgCtrlID.USER32 ref: 00C9204E
GetParent.USER32 ref: 00C9206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C9206D
GetDlgCtrlID.USER32(?), ref: 00C92076
GetParent.USER32(?), ref: 00C9208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C9208D

Strings

ComboBox, xrefs: 00C91FCD
ListBox, xrefs: 00C92002

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f0ce066ef57fceaa2e106543e9920d1cebabdd129616cd62cfce714b2b6eeb16
Instruction ID: b68613a45392e40c7c73b562e6114c535da1d6aef3e0c1d03b5e4c4d30fa4032
Opcode Fuzzy Hash: f0ce066ef57fceaa2e106543e9920d1cebabdd129616cd62cfce714b2b6eeb16
Instruction Fuzzy Hash: B1219F75A00218BBCF10AFA0DC89FFEBBB8EF05340F005015FA95A72A1DA754915EB60

Function 00CC3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CC3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CC3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00CC3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CC3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CC3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CC3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CC3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CC3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CC3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CC3C13

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 10bf6cbdf3c068b93cae9f7ebf836893b92a69afa1e6e6ba18e204a49a3d4f1b
Instruction ID: fa824d12b5febc66e699ecbbcb44c0d832a19d401e37f7db7aa60d7f6d01bbca
Opcode Fuzzy Hash: 10bf6cbdf3c068b93cae9f7ebf836893b92a69afa1e6e6ba18e204a49a3d4f1b
Instruction Fuzzy Hash: B2615775A00248AFDB10DFA8DC81FEE77B8EB09700F104199FA15E72A1D770AE45DB60

Function 00C9B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C9B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B165
GetWindowThreadProcessId.USER32(00000000), ref: 00C9B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C9A1E1,?,00000001), ref: 00C9B21D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b3a4dd43a52d46bb76e62919c4411b21a85d760171994f292e9e037945cdd049
Instruction ID: 5e0ce3b3499f82bca377b419b48e44db29d2ca85bf97c65e1731eb1d18f47f26
Opcode Fuzzy Hash: b3a4dd43a52d46bb76e62919c4411b21a85d760171994f292e9e037945cdd049
Instruction Fuzzy Hash: C2316571500604BFDF109F25EE88FAE7BA9EB51311F104009FA29D62A0D7B4AF418B60

Function 00C62C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C62C94

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C62CA0
_free.LIBCMT ref: 00C62CAB
_free.LIBCMT ref: 00C62CB6
_free.LIBCMT ref: 00C62CC1
_free.LIBCMT ref: 00C62CCC
_free.LIBCMT ref: 00C62CD7
_free.LIBCMT ref: 00C62CE2
_free.LIBCMT ref: 00C62CED
_free.LIBCMT ref: 00C62CFB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3b5824a33d81623762a14f5b6c6095dfd869ea30d0406d34fa10bc82d04fc148
Instruction ID: 19a5b3c5bf18948c0f89bb6d76a124afb027e18e9d058c24dc2c44a4402b58a0
Opcode Fuzzy Hash: 3b5824a33d81623762a14f5b6c6095dfd869ea30d0406d34fa10bc82d04fc148
Instruction Fuzzy Hash: A411C876600508BFCB16EF54D882CDD3BA5FF45390F4144A5FA489F232DA31EE50AB90

Function 00CA7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CA7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA7FC1
GetFileAttributesW.KERNEL32(?), ref: 00CA7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CA8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CA80B0

Strings

*.*, xrefs: 00CA8066

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: cb1c2bdc66b7512ca3ddf45a2f58c1fbeea41d39f3adca5797b8594c3cc922f2
Instruction ID: 739ebc4d9b67878f2bc7896a7fe67a25a66b7ad8f8a2b0f9e56af53c740b71ac
Opcode Fuzzy Hash: cb1c2bdc66b7512ca3ddf45a2f58c1fbeea41d39f3adca5797b8594c3cc922f2
Instruction Fuzzy Hash: B481C1725082429FCB20DF15C884AAEB3E8BF8A318F144D5EF895D7250EB34DE498B52

Function 00C35BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C35C7A

Part of subcall function 00C35D0A: GetClientRect.USER32(?,?), ref: 00C35D30
Part of subcall function 00C35D0A: GetWindowRect.USER32(?,?), ref: 00C35D71
Part of subcall function 00C35D0A: ScreenToClient.USER32(?,?), ref: 00C35D99

GetDC.USER32 ref: 00C746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C74708
SelectObject.GDI32(00000000,00000000), ref: 00C74716
SelectObject.GDI32(00000000,00000000), ref: 00C7472B
ReleaseDC.USER32(?,00000000), ref: 00C74733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C747C4

Strings

U, xrefs: 00C74693

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 6af13b0a18038bf0e68e34f325aa0321de0c5f5709fe3e2f35d3036aee2a6676
Instruction ID: fb01aa279bc40e079f04e6260b744d9f757800b2ede3c68f386a5192dc9a66fd
Opcode Fuzzy Hash: 6af13b0a18038bf0e68e34f325aa0321de0c5f5709fe3e2f35d3036aee2a6676
Instruction Fuzzy Hash: 5F71D135400205DFCF298F64C984EBA7BB5FF4A354F148269FD699A2A6C3319E41DF60

Function 00CA359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00CA35E4

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

LoadStringW.USER32(00D02390,?,00000FFF,?), ref: 00CA360A

Strings

^ ERROR, xrefs: 00CA36C9
Line %d (File "%s"):, xrefs: 00CA366B
"%s" (%d) : ==> %s:, xrefs: 00CA3742
Error: , xrefs: 00CA36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00CA3724

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0c009c2fe95bfb557fff55415f2c2df1363cd661d7a48cb80c61a1ea4d2a821e
Instruction ID: a3aedb8e3ccf35b47e553cd97afdd2d4b9976e96a5f3d77ca9fdb0c836629680
Opcode Fuzzy Hash: 0c009c2fe95bfb557fff55415f2c2df1363cd661d7a48cb80c61a1ea4d2a821e
Instruction Fuzzy Hash: 22518F7190024ABBCF14EBA0CD56EEDBB38EF05304F144125F105B21A1EB711B99EF61

Function 00CAC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CAC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CAC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CAC2CA
GetLastError.KERNEL32 ref: 00CAC322
SetEvent.KERNEL32(?), ref: 00CAC336
InternetCloseHandle.WININET(00000000), ref: 00CAC341

Strings

, xrefs: 00CAC2BB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: dfc70eefbde7f983da328b653fa2bf12ab546d3cc9fa7e97b3e2d1df6a770b12
Instruction ID: 0e0acfbe63e2b9c6c7ea69539c6ab7db945dcdd4a332cc93f4227f6f9a8384c6
Opcode Fuzzy Hash: dfc70eefbde7f983da328b653fa2bf12ab546d3cc9fa7e97b3e2d1df6a770b12
Instruction Fuzzy Hash: 6F318DB1501205AFDB219F65CCC8BAB7AFCEB4A748F14851EF45AD2210DB34DE459B60

Function 00C9989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C73AAF,?,?,Bad directive syntax error,00CCCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C998BC
LoadStringW.USER32(00000000,?,00C73AAF,?), ref: 00C998C3

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C99987

Strings

Error: , xrefs: 00C99955
%s (%d) : ==> %s.: %s %s, xrefs: 00C998F1
Line %d (File "%s"):, xrefs: 00C9992D
Line %d:, xrefs: 00C99912
., xrefs: 00C9996D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b3a459d137120f5138f1a16c69a1dfe6e9c88d4d271fae5c1a13a8bee22385f0
Instruction ID: b831a317822eb54da77459f7d4925c2c6fad4f4985a6e031821f12ccc69391e6
Opcode Fuzzy Hash: b3a459d137120f5138f1a16c69a1dfe6e9c88d4d271fae5c1a13a8bee22385f0
Instruction Fuzzy Hash: 5A217C3295021EABCF15EF90CC4AEEE7779FF18300F044469F619660A2EB719A18EB51

Function 00C9209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00C920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C9214D

Strings

list, xrefs: 00C9212F
details, xrefs: 00C920FB
largeicons, xrefs: 00C920E1
smallicons, xrefs: 00C92115
SHELLDLL_DefView, xrefs: 00C920CC

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 49b8ee0119ca6dbd753dbfda5924474fe902b13995090c38d368d66e58e5edcd
Instruction ID: 7822dcddb52bd253cb452f1599a9ef8174f66b58bc9591fd050a6e99f26e1964
Opcode Fuzzy Hash: 49b8ee0119ca6dbd753dbfda5924474fe902b13995090c38d368d66e58e5edcd
Instruction Fuzzy Hash: 67112C7A688706BAFE052220DC0FDFE379CCB04325F201026FB45A50D1FE619D956618

Function 00C68D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b93fcb73c07b1e4d906699e3df26494c4330d966db708230e4a75a6670ddf05
Instruction ID: b0cc3335abb296b2843dc711ad484b46156377a714f1b8340a3794825246207c
Opcode Fuzzy Hash: 2b93fcb73c07b1e4d906699e3df26494c4330d966db708230e4a75a6670ddf05
Instruction Fuzzy Hash: 2AC1E378904249AFCF21DFA8D881BADBFB4EF0D310F044159E925A7392CB349A46DB61

Function 00C6CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C6CEB7
_free.LIBCMT ref: 00C6CF22
_free.LIBCMT ref: 00C6CF48
_free.LIBCMT ref: 00C6CF71
_free.LIBCMT ref: 00C6CFA9
_free.LIBCMT ref: 00C6CFDA
_free.LIBCMT ref: 00C6D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C6D09C
_free.LIBCMT ref: 00C6D0B5

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: e62fbf50954d7252bb017e216ca15171ea2f9787d7d9a8739f891671579dc736
Instruction ID: f7c2941e7035b1e8e7d540fb1f8769c955e8ecc9f18e4ed022b54bb17cd3c45c
Opcode Fuzzy Hash: e62fbf50954d7252bb017e216ca15171ea2f9787d7d9a8739f891671579dc736
Instruction Fuzzy Hash: B7612471A04301AFDB35AFF498C1B7A7BA5EF05360F08416DF995D7282DA329A0197B2

Function 00CC50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00CC5186
ShowWindow.USER32(?,00000000), ref: 00CC51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00CC51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00CC51D1

Part of subcall function 00CC6FBA: DeleteObject.GDI32(00000000), ref: 00CC6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00CC520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CC524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00CC5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00CC5296

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 6b36995c78112d93f0958f60fdaecd6a2bc3ba4d27a431ac2634c72c7faac99e
Instruction ID: c1a967ca3031439b0d5c0a4bfe02eca75e12bbfd7920225f7b139e1a0bc11450
Opcode Fuzzy Hash: 6b36995c78112d93f0958f60fdaecd6a2bc3ba4d27a431ac2634c72c7faac99e
Instruction Fuzzy Hash: 46519E34A50A08BEEF209F25CC4AF9D7BA5FB05325F584119F629962E1C775BAC0EB40

Function 00C48B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C86890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C48874,00000000,00000000,00000000,000000FF,00000000), ref: 00C86901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C8691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C48874,00000000,00000000,00000000,000000FF,00000000), ref: 00C8692D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 4dc371066f7f3be7b99d0bc1e731d7ba40d7f7082103860ed31dd5653fb77fef
Instruction ID: 34da6a89a5124219a16fbc3c576f8681dd7dcf6de42207e1bb8c60efb2cbc443
Opcode Fuzzy Hash: 4dc371066f7f3be7b99d0bc1e731d7ba40d7f7082103860ed31dd5653fb77fef
Instruction Fuzzy Hash: 25514570A00209AFDB20DF25CC95FAE7BB6FB58754F104518F96A972E0DB70AA90DB50

Function 00CAC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CAC182
GetLastError.KERNEL32 ref: 00CAC195
SetEvent.KERNEL32(?), ref: 00CAC1A9

Part of subcall function 00CAC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CAC272
Part of subcall function 00CAC253: GetLastError.KERNEL32 ref: 00CAC322
Part of subcall function 00CAC253: SetEvent.KERNEL32(?), ref: 00CAC336
Part of subcall function 00CAC253: InternetCloseHandle.WININET(00000000), ref: 00CAC341

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: fa6d8246b56fa1d35527906a573df8b6eac7a92c286b5426202518df57e16044
Instruction ID: 4ceab9a97dc417c0065d889e10c9bca4950dfb6be2b11290a73c0e5e69e446dc
Opcode Fuzzy Hash: fa6d8246b56fa1d35527906a573df8b6eac7a92c286b5426202518df57e16044
Instruction Fuzzy Hash: 40319071200606AFDB219FA5DD84B6ABBF8FF1A304B04451DF96A82610D735E914EBA0

Function 00C925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C93A57
Part of subcall function 00C93A3D: GetCurrentThreadId.KERNEL32 ref: 00C93A5E
Part of subcall function 00C93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C925B3), ref: 00C93A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C92601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C92605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C9260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C92623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C92627

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e839c8557cfc65523c4c1fba5b647fbd4e466591ad250cdd0a926b347d16cfb9
Instruction ID: 62a9f704e459f6071e138aaf5f99a35c5603e4799d7e0e25f948423d147b3bbf
Opcode Fuzzy Hash: e839c8557cfc65523c4c1fba5b647fbd4e466591ad250cdd0a926b347d16cfb9
Instruction Fuzzy Hash: 1F01DF30790610BBFB206769DCCEF5D3F59DB4EB12F110001F358AE1E1C9E224549AAA

Function 00C91803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C91449,?,?,00000000), ref: 00C9180C
HeapAlloc.KERNEL32(00000000,?,00C91449,?,?,00000000), ref: 00C91813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C91449,?,?,00000000), ref: 00C91828
GetCurrentProcess.KERNEL32(?,00000000,?,00C91449,?,?,00000000), ref: 00C91830
DuplicateHandle.KERNEL32(00000000,?,00C91449,?,?,00000000), ref: 00C91833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C91449,?,?,00000000), ref: 00C91843
GetCurrentProcess.KERNEL32(00C91449,00000000,?,00C91449,?,?,00000000), ref: 00C9184B
DuplicateHandle.KERNEL32(00000000,?,00C91449,?,?,00000000), ref: 00C9184E
CreateThread.KERNEL32(00000000,00000000,00C91874,00000000,00000000,00000000), ref: 00C91868

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8ea98b84eac71af9aa10a0365c3d8882bc2e9f6c63bdb5aa1ad46298ab83cb3a
Instruction ID: 4cc800479394be671c6f26c7db283c61982da70bd8b40e04fc29cf1160818493
Opcode Fuzzy Hash: 8ea98b84eac71af9aa10a0365c3d8882bc2e9f6c63bdb5aa1ad46298ab83cb3a
Instruction Fuzzy Hash: F901BFB5240344BFE710AB66DC8DF5F3B6CEB89B11F054411FA05DB1A1C674D810CB20

Function 00CBA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C9D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C9D501
Part of subcall function 00C9D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C9D50F
Part of subcall function 00C9D4DC: CloseHandle.KERNELBASE(00000000), ref: 00C9D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CBA16D
GetLastError.KERNEL32 ref: 00CBA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CBA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CBA268
GetLastError.KERNEL32(00000000), ref: 00CBA273
CloseHandle.KERNEL32(00000000), ref: 00CBA2C4

Strings

SeDebugPrivilege, xrefs: 00CBA18F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1007a146c250d43938d9718f9635fc9da5796373056a9b424492afdb59c82f22
Instruction ID: e34fdf879a09884743685ace708a8732bbca8014e7b9ca95b36301af1ee9e2a4
Opcode Fuzzy Hash: 1007a146c250d43938d9718f9635fc9da5796373056a9b424492afdb59c82f22
Instruction Fuzzy Hash: 8161A170204242AFD720DF19C4D4F59BBE1AF44318F18849CE4AA8BBA3C772ED45CB92

Function 00CC3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CC3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CC393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CC3954
_wcslen.LIBCMT ref: 00CC3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CC39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CC39F4

Strings

SysListView32, xrefs: 00CC38F7

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 26173699170afc64ae0d2091c92976150c329ab56a0b2a98b9619ebc26c9cac6
Instruction ID: aa22bc1aa69e10ce97a4ba0dee18609cff3bd93929d706304c1a74e0853c3911
Opcode Fuzzy Hash: 26173699170afc64ae0d2091c92976150c329ab56a0b2a98b9619ebc26c9cac6
Instruction Fuzzy Hash: 1A41A371A00219ABDF219F64DC45FEE77A9EF08354F10452AF958E72C1D7719A84CB90

Function 00C9BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C9BCFD
IsMenu.USER32(00000000), ref: 00C9BD1D
CreatePopupMenu.USER32 ref: 00C9BD53
GetMenuItemCount.USER32(016D54F0), ref: 00C9BDA4
InsertMenuItemW.USER32(016D54F0,?,00000001,00000030), ref: 00C9BDCC

Strings

2, xrefs: 00C9BD37
0, xrefs: 00C9BCA8

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 131fca6b991917928e453e8c989fc582b4863177c3e8e34545fac42e09b53603
Instruction ID: 9b655219a787ceac8efb51de5072ae7f7ca13b5cd09b5bd226ae483b1b9f22cb
Opcode Fuzzy Hash: 131fca6b991917928e453e8c989fc582b4863177c3e8e34545fac42e09b53603
Instruction Fuzzy Hash: F851AF72A00209ABDF10CFA9EACCBAEBBF4AF45314F144159F425D7298D770AE41CB51

Function 00C9C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C9C913

Strings

question, xrefs: 00C9C8CC
blank, xrefs: 00C9C895
warning, xrefs: 00C9C8FC
info, xrefs: 00C9C8B4
stop, xrefs: 00C9C8E4

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8e631b5b7a4f3222ade7915ef4a8f2ab25604e6ebd38d3530c5d1663b9fabb8d
Instruction ID: 4d2f8b7b2893eaaa2cd2b36906eec083deab31e3599ff9cf5f255d252c4d6c49
Opcode Fuzzy Hash: 8e631b5b7a4f3222ade7915ef4a8f2ab25604e6ebd38d3530c5d1663b9fabb8d
Instruction Fuzzy Hash: 3D112B3668930ABAAB04AB15DCC6DAE779CDF15319B21003BF900A61C2D7605F806369

Function 00C9DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C9DE42
gethostname.WSOCK32(?,00000100), ref: 00C9DE5C
gethostbyname.WSOCK32(?), ref: 00C9DE69
inet_ntoa.WSOCK32(?), ref: 00C9DEAB
_strcat.LIBCMT ref: 00C9DEB9
WSACleanup.WSOCK32 ref: 00C9DEDE

Strings

0.0.0.0, xrefs: 00C9DE87

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 320790c6c8c6e5fd371ae898d852654f705066a92fb8a230294f3e893aecca9b
Instruction ID: e28968e9ab8818408b93433a71aa142c79ccd21d2cbc810751b5e281d8e8fa9e
Opcode Fuzzy Hash: 320790c6c8c6e5fd371ae898d852654f705066a92fb8a230294f3e893aecca9b
Instruction Fuzzy Hash: 0A110371904109ABCF24AB60DC8EFEF77ACDF10751F0001A9F55AEA091EF708AC19B60

Function 00CC9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

GetSystemMetrics.USER32(0000000F), ref: 00CC9FC7
GetSystemMetrics.USER32(0000000F), ref: 00CC9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CCA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CCA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CCA263
ShowWindow.USER32(00000003,00000000), ref: 00CCA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00CCA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CCA2CA

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: efd2a94c80fd201de49a451af48fa325aaa4d3969c1e8c30ec6354b334c1b25a
Instruction ID: 14f648c4695bfc6479a83523fde8a81be652c00a6b99a414e686ccb8556f4108
Opcode Fuzzy Hash: efd2a94c80fd201de49a451af48fa325aaa4d3969c1e8c30ec6354b334c1b25a
Instruction Fuzzy Hash: 51B19B35600229DFDF14CF68C9C9BAE7BB2FF44705F088069ED599B295D731AA40CB61

Function 00C9ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C9ED2A
_wcslen.LIBCMT ref: 00C9ED3B
_wcslen.LIBCMT ref: 00C9ED79
_wcslen.LIBCMT ref: 00C9EDAF
_wcslen.LIBCMT ref: 00C9EDDF
_wcslen.LIBCMT ref: 00C9EDEF
_wcslen.LIBCMT ref: 00C9EE2B
_wcslen.LIBCMT ref: 00C9EE5A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 793adb262f3a4090cdd251939dbac3414f4749b8537df4d14e6930e637716786
Instruction ID: 26ccc5bddb32c7179f1b8ff8bdd34c35e17c62314bfeb9a2ac3588262ba430d3
Opcode Fuzzy Hash: 793adb262f3a4090cdd251939dbac3414f4749b8537df4d14e6930e637716786
Instruction Fuzzy Hash: F941A469C1021875CB11EBF4CC8A9CFB7BCAF45311F508466E914E3121FB34D689C3A9

Function 00C4F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00C4F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00C8F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00C8F454

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 241aefd858d5e02f1d506053074c4a7843443ccf8bb93aea7e1b3bd4df37bfde
Instruction ID: b70429c082014242762177395a719fa72ce6e2c47cf4b287f9c909dcf2cec8d4
Opcode Fuzzy Hash: 241aefd858d5e02f1d506053074c4a7843443ccf8bb93aea7e1b3bd4df37bfde
Instruction Fuzzy Hash: BF410A31608680FAD7399F29D9C8B2E7B91BFA6314F14443DE0AB57660C771AA83DB11

Function 00CC2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CC2D1B
GetDC.USER32(00000000), ref: 00CC2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CC2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00CC2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CC2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CC2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CC5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CC2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CC2DE1

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: aac2d1b9c21fefcfb07bfa6087d61855b4fd5749e6bbd76851bb540c71cf35bb
Instruction ID: c877ab8a0c88270b3a2c38bf107f5b99f7e94e624c05f3972ec28bc4188eed95
Opcode Fuzzy Hash: aac2d1b9c21fefcfb07bfa6087d61855b4fd5749e6bbd76851bb540c71cf35bb
Instruction Fuzzy Hash: 80318972201614BFEB218F54CC8AFEB3FADEF19715F084069FE099A291C6759C51CBA4

Function 00C95622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C95637
_memcmp.LIBVCRUNTIME ref: 00C95659
_memcmp.LIBVCRUNTIME ref: 00C95671
_memcmp.LIBVCRUNTIME ref: 00C95684
_memcmp.LIBVCRUNTIME ref: 00C9569E
_memcmp.LIBVCRUNTIME ref: 00C956B1
_memcmp.LIBVCRUNTIME ref: 00C956C9
_memcmp.LIBVCRUNTIME ref: 00C956E4

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e139b586c7d31098b3076fad34d2a65a9ffa13ac121be37ae486334cc6ef7817
Instruction ID: 0ce3bf81c29a46a96dd766501167fdecdd47c113aac9d96c932e39d5474b7570
Opcode Fuzzy Hash: e139b586c7d31098b3076fad34d2a65a9ffa13ac121be37ae486334cc6ef7817
Instruction Fuzzy Hash: 9B21F965741A09B7DA165E21DD9AFFA335DAF20385F480038FD049A781F720EF1593A9

Function 00CB4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00CB502E, 00CB5383
Not an Object type, xrefs: 00CB5007

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b20911faffac848781fd0e7fa848594cd367605045bdcfa720daeb9f32ca7043
Instruction ID: 6c32751428fde7134f91ee556d084f65ae3f76b18b0127bfac90df9ca55fb27f
Opcode Fuzzy Hash: b20911faffac848781fd0e7fa848594cd367605045bdcfa720daeb9f32ca7043
Instruction Fuzzy Hash: A2D1BF71A0060A9FDF14DFA8D881FEEB7B5BF48344F148069E925AB291E771DE41CB90

Function 00C71522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00C715CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C71651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C716E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C716FB

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C71777
__freea.LIBCMT ref: 00C717A2
__freea.LIBCMT ref: 00C717AE

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b193bda199e66be3aa097c1dda90f4443abda9cb7dfa96c5c1ac4e7fe6766ecb
Instruction ID: 0f6e990703c1e5f1b12e3dd35d17ca9f1b0f8320f3e7e5888dde07f8a91d0de6
Opcode Fuzzy Hash: b193bda199e66be3aa097c1dda90f4443abda9cb7dfa96c5c1ac4e7fe6766ecb
Instruction Fuzzy Hash: F3919371E002169ADB288E7DC881AEE7BF5EF49710F1C8659ED19E7181D735DE40CBA0

Function 00CB4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB4648
VariantInit.OLEAUT32(?), ref: 00CB4749
VariantClear.OLEAUT32(?), ref: 00CB4753
VariantClear.OLEAUT32(?), ref: 00CB47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00CB472C
Null Object assignment in FOR..IN loop, xrefs: 00CB45D8, 00CB4706, 00CB47BE

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: d5dc97d191ccc452db1ad451e7e30bbb880d69a7f26521bfed6ca6190cc20d55
Instruction ID: 492a1c98a5b038184de15d2d6a7aa9a3f51b0b5a6b98268b2c11b7b13703ad70
Opcode Fuzzy Hash: d5dc97d191ccc452db1ad451e7e30bbb880d69a7f26521bfed6ca6190cc20d55
Instruction Fuzzy Hash: 6291B470A04219AFDF28CFA5C884FEE7BB8EF46714F108559F515AB282DB709945CFA0

Function 00CA1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00CA125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CA1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00CA12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA1430

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: dc88d7d5404a25bb69407aacd0a1da1532fb8a27c5f866a38f3e5eeb011ceb71
Instruction ID: a56d0c57284eba2ca348de43fb0cbb102e80537ae2eb6f2e144d104ee84ccd1a
Opcode Fuzzy Hash: dc88d7d5404a25bb69407aacd0a1da1532fb8a27c5f866a38f3e5eeb011ceb71
Instruction Fuzzy Hash: 21911571A0021AAFDB00DF98C884BBEB7B5FF46329F194029ED51EB291D774E941DB90

Function 00C4948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 43ae2e8a7ea0bc66b84873dfbf69ddf87e97fa8f795e2291ee6028d1bdb74123
Instruction ID: 96249ac001a33ca38a0c0445f482a65a9bdb3c99c4163b132d18507e9f75fa10
Opcode Fuzzy Hash: 43ae2e8a7ea0bc66b84873dfbf69ddf87e97fa8f795e2291ee6028d1bdb74123
Instruction Fuzzy Hash: D7912871D00219EFCB10CFA9CC88AEEBBB8FF49320F248559E515B7251D774AA42DB60

Function 00CB3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB396B
CharUpperBuffW.USER32(?,?), ref: 00CB3A7A
_wcslen.LIBCMT ref: 00CB3A8A
VariantClear.OLEAUT32(?), ref: 00CB3C1F

Part of subcall function 00CA0CDF: VariantInit.OLEAUT32(00000000), ref: 00CA0D1F
Part of subcall function 00CA0CDF: VariantCopy.OLEAUT32(?,?), ref: 00CA0D28
Part of subcall function 00CA0CDF: VariantClear.OLEAUT32(?), ref: 00CA0D34

Strings

Incorrect Parameter format, xrefs: 00CB39A6, 00CB3BA1
AUTOIT.ERROR, xrefs: 00CB3A80, 00CB3A85

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9667e7be86073f1420fdacb3a25ce8ed46a55154b5cc6ea952782e217e371d56
Instruction ID: 0e835d264982d0ce0c88879b50867cafd3a3df3a1a621b4c40452ebdd0393552
Opcode Fuzzy Hash: 9667e7be86073f1420fdacb3a25ce8ed46a55154b5cc6ea952782e217e371d56
Instruction Fuzzy Hash: AB918C756083459FCB04DF68C48096AB7E4FF88714F14892DF89A9B351DB30EE45DB92

Function 00CB4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C9000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?,?,00C9035E), ref: 00C9002B
Part of subcall function 00C9000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90046
Part of subcall function 00C9000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90054
Part of subcall function 00C9000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?), ref: 00C90064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CB4C51
_wcslen.LIBCMT ref: 00CB4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CB4DCF
CoTaskMemFree.OLE32(?), ref: 00CB4DDA

Strings

NULL Pointer assignment, xrefs: 00CB4E23, 00CB4E52

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 9f542e9fe810675cf1b07d46b1a1924e680c28edd4153e40a7557dc98f3ac55c
Instruction ID: 46d9c1ac6ac1675cccc34fa79f6c989acb35b44f3f46d73a9a71126b944415f9
Opcode Fuzzy Hash: 9f542e9fe810675cf1b07d46b1a1924e680c28edd4153e40a7557dc98f3ac55c
Instruction Fuzzy Hash: 0E911571D0421DEFDF14DFA4C891AEEBBB9BF08314F108169E915A7291EB709A44DFA0

Function 00CC20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CC2183
GetMenuItemCount.USER32(00000000), ref: 00CC21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CC21DD
_wcslen.LIBCMT ref: 00CC2213
GetMenuItemID.USER32(?,?), ref: 00CC224D
GetSubMenu.USER32(?,?), ref: 00CC225B

Part of subcall function 00C93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C93A57
Part of subcall function 00C93A3D: GetCurrentThreadId.KERNEL32 ref: 00C93A5E
Part of subcall function 00C93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C925B3), ref: 00C93A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CC22E3

Part of subcall function 00C9E97B: Sleep.KERNEL32 ref: 00C9E9F3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 0f49014cb9b16404f2a1e6678ed86557732be7bca73cec226bd8e61d0aec24fc
Instruction ID: 67cffa5b33bb4d670db8cb5574ac71260d375755d3d3d03fba1e8fa9b9dbf830
Opcode Fuzzy Hash: 0f49014cb9b16404f2a1e6678ed86557732be7bca73cec226bd8e61d0aec24fc
Instruction Fuzzy Hash: F7715E75A00205AFCB14EFA5C885FAEB7B5EF48320F14845DE916EB351D734AE419B90

Function 00CC7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016D5568), ref: 00CC7F37
IsWindowEnabled.USER32(016D5568), ref: 00CC7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00CC801E
SendMessageW.USER32(016D5568,000000B0,?,?), ref: 00CC8051
IsDlgButtonChecked.USER32(?,?), ref: 00CC8089
GetWindowLongW.USER32(016D5568,000000EC), ref: 00CC80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CC80C3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b0bb653bc8363be675946fe4094893ab7d791d27aea1fca8eb368ece566f69d4
Instruction ID: 746042568aeeb6284a63aa620cb2bf9d5d40c53ba121b63a9a3e163bee420c44
Opcode Fuzzy Hash: b0bb653bc8363be675946fe4094893ab7d791d27aea1fca8eb368ece566f69d4
Instruction Fuzzy Hash: 7C716D34608204AFEB259FA4C8D4FAABBB9EF09340F14455DF965972A1CB31AA45DF20

Function 00C9AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C9AEF9
GetKeyboardState.USER32(?), ref: 00C9AF0E
SetKeyboardState.USER32(?), ref: 00C9AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C9AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C9AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C9AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C9B020

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 155ef03426c384b61fea1cfb2d6dd5d5a1beab40142ec756eed6b64b2fb642e8
Instruction ID: 60d3eaa37baa0016693db8744c947aa21cb740df4d517a0c78dfcef5f0de866b
Opcode Fuzzy Hash: 155ef03426c384b61fea1cfb2d6dd5d5a1beab40142ec756eed6b64b2fb642e8
Instruction Fuzzy Hash: 7C51C2E06047D53DFF368274CD4DBBA7EA95B06304F088589E1E9458C2C398AED4D791

Function 00C9ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C9AD19
GetKeyboardState.USER32(?), ref: 00C9AD2E
SetKeyboardState.USER32(?), ref: 00C9AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C9ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C9ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C9AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C9AE38

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6306c56eded3ce44bdee259c2d6551e6f3b4a3dc2348e1d183a48893cf352205
Instruction ID: 551e9ea9e3e6e1267e2f3c1b4d70c09e75ce702e8c66799b2c92ce965541274e
Opcode Fuzzy Hash: 6306c56eded3ce44bdee259c2d6551e6f3b4a3dc2348e1d183a48893cf352205
Instruction Fuzzy Hash: 4C51E7A15047D53DFF378334CC99B7A7EA85B46300F088488E1E5468C2D394EE94E792

Function 00C6542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00C73CD6,?,?,?,?,?,?,?,?,00C65BA3,?,?,00C73CD6,?,?), ref: 00C65470
__fassign.LIBCMT ref: 00C654EB
__fassign.LIBCMT ref: 00C65506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C73CD6,00000005,00000000,00000000), ref: 00C6552C
WriteFile.KERNEL32(?,00C73CD6,00000000,00C65BA3,00000000,?,?,?,?,?,?,?,?,?,00C65BA3,?), ref: 00C6554B
WriteFile.KERNEL32(?,?,00000001,00C65BA3,00000000,?,?,?,?,?,?,?,?,?,00C65BA3,?), ref: 00C65584

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7173984d73b866e9b6c8c0f3d24fa3fdef2c641cc768297702d50a5506428aae
Instruction ID: cc3101e8493f277a012217dca332614440bf6a8bb737db603e9e29bcd1b7da05
Opcode Fuzzy Hash: 7173984d73b866e9b6c8c0f3d24fa3fdef2c641cc768297702d50a5506428aae
Instruction Fuzzy Hash: 03519671900649AFDB21CFA8D885BEEBBF9EF09300F24455EF556E7291D7309A41CB60

Function 00C52D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C52D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C52D53
_ValidateLocalCookies.LIBCMT ref: 00C52DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C52E0C
_ValidateLocalCookies.LIBCMT ref: 00C52E61

Strings

csm, xrefs: 00C52DF6

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c2be39763740ca817ae01518e0248fb5078d963672240feb65afbda13f9a310
Instruction ID: d361477581fd0bc6e05aecb2bae057828415b6ce3c799279ea852de5f4cf39eb
Opcode Fuzzy Hash: 9c2be39763740ca817ae01518e0248fb5078d963672240feb65afbda13f9a310
Instruction Fuzzy Hash: 6341D638A00208DBCF14DF68C885A9EBBF4BF46366F148155EC146B392D731AA89CBD4

Function 00CB10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CB307A
Part of subcall function 00CB304E: _wcslen.LIBCMT ref: 00CB309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CB1112
WSAGetLastError.WSOCK32 ref: 00CB1121
WSAGetLastError.WSOCK32 ref: 00CB11C9
closesocket.WSOCK32(00000000), ref: 00CB11F9

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 145ed8a7a93bf94de9f4a39cda5cd15df0bca4697ae232d9c7c6819d4f4a77a6
Instruction ID: fe87b39096ce670a5246fb1c7e449af0b02603d589ddb29a4b840c00a2608cf3
Opcode Fuzzy Hash: 145ed8a7a93bf94de9f4a39cda5cd15df0bca4697ae232d9c7c6819d4f4a77a6
Instruction Fuzzy Hash: 1041E535600204AFDB109F58C894BEEB7E9EF45364F588059FD19AB292C770EE41CBE1

Function 00C9CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C9CF22,?), ref: 00C9DDFD

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C9CF22,?), ref: 00C9DE16

lstrcmpiW.KERNEL32(?,?), ref: 00C9CF45
MoveFileW.KERNEL32(?,?), ref: 00C9CF7F
_wcslen.LIBCMT ref: 00C9D005
_wcslen.LIBCMT ref: 00C9D01B
SHFileOperationW.SHELL32(?), ref: 00C9D061

Strings

\*.*, xrefs: 00C9CFF3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b04e8f0e845a80878c4e2e4e0155554bc3069d766f1061bde3c25ba6f31d8b23
Instruction ID: 9e9e141e35814c0103f49bb3a4b74da0c1c3ad4035e154954f2bac1f785090f4
Opcode Fuzzy Hash: b04e8f0e845a80878c4e2e4e0155554bc3069d766f1061bde3c25ba6f31d8b23
Instruction Fuzzy Hash: 304154719052189FDF12EFE4D9C5EDEB7B8AF18380F0000E6E509EB142EA34A788DB50

Function 00CC2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CC2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00CC2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00CC2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CC2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CC2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00CC2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC2F0B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 109664d367ce1c6fd3535f5522f90be7ab2048878ceb73db65f993dc2c87b218
Instruction ID: 733f5f469fd09dacc16548601d285a209e9b41ac2aa399b65d1a8be597177b08
Opcode Fuzzy Hash: 109664d367ce1c6fd3535f5522f90be7ab2048878ceb73db65f993dc2c87b218
Instruction Fuzzy Hash: F6311334604254AFDB20DF58EC84FA937E0EB8A711F140168F928EB2B1CB71ED40DB10

Function 00C97726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C97769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C9778F
SysAllocString.OLEAUT32(00000000), ref: 00C97792
SysAllocString.OLEAUT32(?), ref: 00C977B0
SysFreeString.OLEAUT32(?), ref: 00C977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00C977DE
SysAllocString.OLEAUT32(?), ref: 00C977EC

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d5e183700076b7e698d38895794c01b0bcb52759b19344779e09e7d682b76598
Instruction ID: 5fbeb223ca602ec111faf27cd97e0eeb8cd8a334bc506c35cdfc90ca13b5259d
Opcode Fuzzy Hash: d5e183700076b7e698d38895794c01b0bcb52759b19344779e09e7d682b76598
Instruction Fuzzy Hash: 7421B076605219AFDF11DFA9CC88EBF73ACEB093647048125FA18DB2A0D670DD41C760

Function 00C977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C97842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C97868
SysAllocString.OLEAUT32(00000000), ref: 00C9786B
SysAllocString.OLEAUT32 ref: 00C9788C
SysFreeString.OLEAUT32 ref: 00C97895
StringFromGUID2.OLE32(?,?,00000028), ref: 00C978AF
SysAllocString.OLEAUT32(?), ref: 00C978BD

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 63745c830bd8529290cb5418919ff80d185120674e7acd643ff65c266fd52abd
Instruction ID: dbbe10a204f33595719186b9c5649093a2caef09bef67106868eab8fc3502e23
Opcode Fuzzy Hash: 63745c830bd8529290cb5418919ff80d185120674e7acd643ff65c266fd52abd
Instruction Fuzzy Hash: 50219D31609204AFDF10AFA9DC8CEBA77ACFB087607148225F915DB2A1DA74DD41CB68

Function 00CA04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00CA04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CA052E

Strings

nul, xrefs: 00CA0567

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 95f1af0de67db6e0f990bf0d8262361b0b9afebcb7934a59b432f605d2540485
Instruction ID: d5a86422a4c6e58ebc69a45a0fdbe7e373a9962217dd8dca25700747250dda90
Opcode Fuzzy Hash: 95f1af0de67db6e0f990bf0d8262361b0b9afebcb7934a59b432f605d2540485
Instruction Fuzzy Hash: F7217E71900306ABDF209F69DC44B9A7BB4AF467A8F304A19E8B1D62E0D770DA50CF24

Function 00CA05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CA05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CA0601

Strings

nul, xrefs: 00CA0639

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 11edb952d8dc87781814c55215717197e5c7a16ddf57b6414c6dec1063783e85
Instruction ID: f99e83b9c722983a25e486d41b7284f7be33ee887695f869ad9018fff2b1d6a7
Opcode Fuzzy Hash: 11edb952d8dc87781814c55215717197e5c7a16ddf57b6414c6dec1063783e85
Instruction Fuzzy Hash: F9214F755003069BDB209F69DC44B9A77A4AF967A9F300A19FDB1E72E0E7709960CB10

Function 00CC40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C3604C
Part of subcall function 00C3600E: GetStockObject.GDI32(00000011), ref: 00C36060
Part of subcall function 00C3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C3606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CC4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CC411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CC412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CC4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CC4145

Strings

Msctls_Progress32, xrefs: 00CC40E3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 786d27e49af99d8c5193a1d9d6e2bb142650fb906374ae83f37e78a62d7c446f
Instruction ID: 35bb10f8a01db39807c5a18946da924dd4533d710d44a8ea618a9a4683104e03
Opcode Fuzzy Hash: 786d27e49af99d8c5193a1d9d6e2bb142650fb906374ae83f37e78a62d7c446f
Instruction Fuzzy Hash: DE1190B2150219BEEF118F64CC86EEB7FADEF08798F008111FA58A2150C6729C219BA4

Function 00C6D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C6D7A3: _free.LIBCMT ref: 00C6D7CC

_free.LIBCMT ref: 00C6D82D

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6D838
_free.LIBCMT ref: 00C6D843
_free.LIBCMT ref: 00C6D897
_free.LIBCMT ref: 00C6D8A2
_free.LIBCMT ref: 00C6D8AD
_free.LIBCMT ref: 00C6D8B8

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9ac63cfe9ab8302a4d09b88cff2714998a0e03bb3ca402b4c8970c141bf23066
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D7115B71B40B04AADA31BFB0CC87FCB7BDCAF44700F440825B29AE6092DA65B505A662

Function 00C9DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C9DA74
LoadStringW.USER32(00000000), ref: 00C9DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C9DA91
LoadStringW.USER32(00000000), ref: 00C9DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C9DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C9DAB9

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5cd2fddd132f95d71b02e7c44e190eff9032f4bcdcbc449a64cf0814fae3a4a1
Instruction ID: 39b395a5670787c9579a2a90d0d35db1ad1d1a419bdad7a9d44e9cf1cb62a420
Opcode Fuzzy Hash: 5cd2fddd132f95d71b02e7c44e190eff9032f4bcdcbc449a64cf0814fae3a4a1
Instruction Fuzzy Hash: 2C0162F25002087FEB10ABA4DDC9FEB366CE708701F400495F74AE2041EA749E854F74

Function 00CA096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(016CE188,016CE188), ref: 00CA097B
EnterCriticalSection.KERNEL32(016CE168,00000000), ref: 00CA098D
TerminateThread.KERNEL32(?,000001F6), ref: 00CA099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00CA09A9
CloseHandle.KERNEL32(?), ref: 00CA09B8
InterlockedExchange.KERNEL32(016CE188,000001F6), ref: 00CA09C8
LeaveCriticalSection.KERNEL32(016CE168), ref: 00CA09CF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fe733dfc93fdef0f2ad0bd8e573f06e06312ad15b994403d3e9abc21a58cdd2b
Instruction ID: 378ae11c8e7a82eb560df4d455fa27db790f3a0fd6d5dbb4bd2399d8c365a6f8
Opcode Fuzzy Hash: fe733dfc93fdef0f2ad0bd8e573f06e06312ad15b994403d3e9abc21a58cdd2b
Instruction Fuzzy Hash: CBF01932442A02ABD7415BA4EEC8FDABA29FF01742F542025F206908A1C7749575CF90

Function 00C35D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C35D30
GetWindowRect.USER32(?,?), ref: 00C35D71
ScreenToClient.USER32(?,?), ref: 00C35D99
GetClientRect.USER32(?,?), ref: 00C35ED7
GetWindowRect.USER32(?,?), ref: 00C35EF8

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c895bbcc17e87effcf568d3dcdfe2a208c82774718a697dcd32467396d984c7b
Instruction ID: b16f8876ca7e4bb504764d51e8f62640a6d859135b2ddcb040aca5f6556c0269
Opcode Fuzzy Hash: c895bbcc17e87effcf568d3dcdfe2a208c82774718a697dcd32467396d984c7b
Instruction Fuzzy Hash: B8B18875A10B4ADBDB14CFA9C4807EEB7F1FF48310F14841AE8AAD7290DB34AA51DB50

Function 00C601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C600D6
__allrem.LIBCMT ref: 00C600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C6010B
__allrem.LIBCMT ref: 00C60122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C60140

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: d7c99cd08b02066c53556db17ddc80a799f0857d7582af902cd410b8bea49f0f
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: A38127766007069BE7349E69CC82B6F73E8AF41320F24463EF861E6681E770DE419754

Function 00CB1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00CB101C,00000000,?,?,00000000), ref: 00CB3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CB1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CB1DE1
WSAGetLastError.WSOCK32 ref: 00CB1DF2
inet_ntoa.WSOCK32(?), ref: 00CB1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00CB1EDB
_strlen.LIBCMT ref: 00CB1F35

Part of subcall function 00C939E8: _strlen.LIBCMT ref: 00C939F2

Part of subcall function 00C36D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00C4CF58,?,?,?), ref: 00C36DBA
Part of subcall function 00C36D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00C4CF58,?,?,?), ref: 00C36DED

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 37d8d0bde46b33f7eef534a31458ca045d977e3fb46f31385883a40b451c422c
Instruction ID: c6a0898f42fb4a858748d5d7dbdcddf4ef4274ac0ecfd1bbeef3261e5c18ce5d
Opcode Fuzzy Hash: 37d8d0bde46b33f7eef534a31458ca045d977e3fb46f31385883a40b451c422c
Instruction Fuzzy Hash: 96A1D231104340AFC724DF64C895F6A7BE5AF84318F98894CF9565B2E2CB71EE46CB91

Function 00C661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C582D9,00C582D9,?,?,?,00C6644F,00000001,00000001,8BE85006), ref: 00C66258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C6644F,00000001,00000001,8BE85006,?,?,?), ref: 00C662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C663D8
__freea.LIBCMT ref: 00C663E5

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

__freea.LIBCMT ref: 00C663EE
__freea.LIBCMT ref: 00C66413

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 85ff18ebbf68e30bdfb13af12c323147b6bf4c4d586fbddaf90c76626300096a
Instruction ID: b294b4f09bafa164aa5e814a349719f60f35f6e5462b7a5d91261590099edb0c
Opcode Fuzzy Hash: 85ff18ebbf68e30bdfb13af12c323147b6bf4c4d586fbddaf90c76626300096a
Instruction Fuzzy Hash: 4251DF72A00216ABEB358F64CCC1EBF7BA9EF44710F19462AFD15DA250EB34DD41D6A0

Function 00CBBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBBD25
RegCloseKey.ADVAPI32(00000000), ref: 00CBBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CBBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CBBDF3
RegCloseKey.ADVAPI32(?), ref: 00CBBDFF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 7d5bc107d723c929bcc03ccd7d9949275858729b5e8c9a5acd27897537f383b6
Instruction ID: 7da2dc46f7f10352bfc3a28dc0b45e1f381cb70ee43facf84dcd7d35e08048ce
Opcode Fuzzy Hash: 7d5bc107d723c929bcc03ccd7d9949275858729b5e8c9a5acd27897537f383b6
Instruction Fuzzy Hash: 7681B230218241EFD714DF24C895E6ABBE5FF84308F14855CF4998B2A2DB71ED45DB92

Function 00C8F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C8F7B9
SysAllocString.OLEAUT32(00000001), ref: 00C8F860
VariantCopy.OLEAUT32(00C8FA64,00000000), ref: 00C8F889
VariantClear.OLEAUT32(00C8FA64), ref: 00C8F8AD
VariantCopy.OLEAUT32(00C8FA64,00000000), ref: 00C8F8B1
VariantClear.OLEAUT32(?), ref: 00C8F8BB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 5731483a6d3d5068a665522d19f356e7d35c84d863413ce594b2d287948a8196
Instruction ID: db34acecac33435f835468c365c5aea43a9bb590375def318d170320dd4cd664
Opcode Fuzzy Hash: 5731483a6d3d5068a665522d19f356e7d35c84d863413ce594b2d287948a8196
Instruction Fuzzy Hash: A651B731610310BBCF24BF66D895B29B3A4EF45318F24947EE905DF291DB708C42D7AA

Function 00CA910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00CA94E5
_wcslen.LIBCMT ref: 00CA9506
_wcslen.LIBCMT ref: 00CA952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00CA9585

Strings

X, xrefs: 00CA9412

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a9be66c5c1d764b91cdd445bcefcdc0836efc0102d3216519c011cd61ff84d6d
Instruction ID: 822043365a9c287fca6ac8956dc05c2cdf9b0a2f4cd794d966729e8ac3e858f8
Opcode Fuzzy Hash: a9be66c5c1d764b91cdd445bcefcdc0836efc0102d3216519c011cd61ff84d6d
Instruction Fuzzy Hash: 50E19F719183419FCB24DF24C882B6AB7E4FF85314F04896DF8999B2A2DB31DD05CB92

Function 00C4920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

BeginPaint.USER32(?,?,?), ref: 00C49241
GetWindowRect.USER32(?,?), ref: 00C492A5
ScreenToClient.USER32(?,?), ref: 00C492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C492D3
EndPaint.USER32(?,?,?,?,?), ref: 00C49321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C871EA

Part of subcall function 00C49339: BeginPath.GDI32(00000000), ref: 00C49357

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c246c71f93bfdbe114f37742b81f46304bdec25046fb5948c755cbfac466723f
Instruction ID: ef664a2c05760cdfd398ddde6d857bac0f8c149a598caa84b0082349639a9083
Opcode Fuzzy Hash: c246c71f93bfdbe114f37742b81f46304bdec25046fb5948c755cbfac466723f
Instruction Fuzzy Hash: C741AB70104310AFD720DF25DC88FAB7BB8FB4A324F140229F9A8C72A1C7709945DB61

Function 00CA07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00CA080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00CA0847
EnterCriticalSection.KERNEL32(?), ref: 00CA0863
LeaveCriticalSection.KERNEL32(?), ref: 00CA08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00CA08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CA0921

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 317b6bb409752e220bb53554c4f8cb7c47841eb71574cb57d8fd2bcffedf6491
Instruction ID: 49724ef1c66b838a2e01fd7986268d79cffb2ead2dc4bae40f7a33288ccdece8
Opcode Fuzzy Hash: 317b6bb409752e220bb53554c4f8cb7c47841eb71574cb57d8fd2bcffedf6491
Instruction Fuzzy Hash: 8D416A71900205EFDF149F64DC85AAAB7B8FF05304F2440A9ED049A297D730DE65DBA4

Function 00CC81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C8F3AB,00000000,?,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00CC824C
EnableWindow.USER32(?,00000000), ref: 00CC8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CC82D1
ShowWindow.USER32(?,00000004), ref: 00CC82E5
EnableWindow.USER32(?,00000001), ref: 00CC830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CC832F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f5b5a0b57026f1b45e7221ccabe5984fa13f51adc904e89e49dbdae7b1f6dbce
Instruction ID: e28c41fc9cddabab1fcf9d029e26b71629527508f34a9bfb4c4cfc2e2955d03a
Opcode Fuzzy Hash: f5b5a0b57026f1b45e7221ccabe5984fa13f51adc904e89e49dbdae7b1f6dbce
Instruction Fuzzy Hash: 88418174601644EFDF21CF15D899FA97BE0FB0A714F1851ADE5288B2B2CB31A949CF50

Function 00C94C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C94C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C94CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C94CEA
_wcslen.LIBCMT ref: 00C94D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C94D10
_wcsstr.LIBVCRUNTIME ref: 00C94D1A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 14d9eff26181ca3cf862a60b5106699a8d3cfd565a2036d5833175e81cf76330
Instruction ID: 70b193561fc9ce008f9e76bd67d4fea3e998dd51dd2cd002c936a28ba8938863
Opcode Fuzzy Hash: 14d9eff26181ca3cf862a60b5106699a8d3cfd565a2036d5833175e81cf76330
Instruction Fuzzy Hash: 8921F636604200BBEF195B39ED4DF7F7BACDF45750F10802DF809CA191EA61DD4296A0

Function 00CA581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

_wcslen.LIBCMT ref: 00CA587B
CoInitialize.OLE32(00000000), ref: 00CA5995
CoCreateInstance.OLE32(00CCFCF8,00000000,00000001,00CCFB68,?), ref: 00CA59AE
CoUninitialize.OLE32 ref: 00CA59CC

Strings

.lnk, xrefs: 00CA5876, 00CA58C1, 00CA5985

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 79ab2ec36ccfa3df14ca1fcf57f3193a67b2c1685591788e8fff1ca3b5c7efaf
Instruction ID: 989aff05c493a282b8d60fd45e67f35e61182015b3111d21d8e7b2fc000345e6
Opcode Fuzzy Hash: 79ab2ec36ccfa3df14ca1fcf57f3193a67b2c1685591788e8fff1ca3b5c7efaf
Instruction Fuzzy Hash: 37D174756087029FC714DF25C484A2ABBE1FF8A318F14895DF8999B361CB31ED46CB92

Function 00C9175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C90FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C90FCA
Part of subcall function 00C90FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C90FD6
Part of subcall function 00C90FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C90FE5
Part of subcall function 00C90FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C90FEC
Part of subcall function 00C90FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C91002

GetLengthSid.ADVAPI32(?,00000000,00C91335), ref: 00C917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C917BA
HeapAlloc.KERNEL32(00000000), ref: 00C917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C917DA
GetProcessHeap.KERNEL32(00000000,00000000,00C91335), ref: 00C917EE
HeapFree.KERNEL32(00000000), ref: 00C917F5

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1924671b53d7b501aefa88a76fbe8744edd03eb5071a36f103519eed1ef79158
Instruction ID: 698dd7145b42cffb32330c766816b50518901544b4cd8f772c370219c47626cd
Opcode Fuzzy Hash: 1924671b53d7b501aefa88a76fbe8744edd03eb5071a36f103519eed1ef79158
Instruction Fuzzy Hash: 01117C32500606FFDF109FE5CC8AFAE7BA9EB45355F184018F85597220D735AA45CB60

Function 00C914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00C91506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C91515
CloseHandle.KERNEL32(00000004), ref: 00C91520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C9154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C91563

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 265b37b4f204994c1c8190bf8bfef3346a1d7bf28b55ffff52666ec29338e0c0
Instruction ID: b98f569a6fb8e6ece13962732299fa3c5b05f92f509640091e5168dab6982f52
Opcode Fuzzy Hash: 265b37b4f204994c1c8190bf8bfef3346a1d7bf28b55ffff52666ec29338e0c0
Instruction Fuzzy Hash: 9C11297250024AABDF118F98ED8AFDE7BA9FF48744F098015FE19A2060C375CE61DB60

Function 00C53382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C53379,00C52FE5), ref: 00C53390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C5339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C533B7
SetLastError.KERNEL32(00000000,?,00C53379,00C52FE5), ref: 00C53409

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4af851cba284e0643e0f82cc452e1d4e36d62903be31450b2430fc41d22e21d1
Instruction ID: f5df01df1c35c43523948c4ae24abc1bf0152adcbb01e9fea0f80b041fa99c49
Opcode Fuzzy Hash: 4af851cba284e0643e0f82cc452e1d4e36d62903be31450b2430fc41d22e21d1
Instruction Fuzzy Hash: 8D01F53A709355AFE62527747DC5BAE2A54EB153FB320022DFC20851F0EF114E8BA54C

Function 00C62D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C65686,00C73CD6,?,00000000,?,00C65B6A,?,?,?,?,?,00C5E6D1,?,00CF8A48), ref: 00C62D78
_free.LIBCMT ref: 00C62DAB
_free.LIBCMT ref: 00C62DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C5E6D1,?,00CF8A48,00000010,00C34F4A,?,?,00000000,00C73CD6), ref: 00C62DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C5E6D1,?,00CF8A48,00000010,00C34F4A,?,?,00000000,00C73CD6), ref: 00C62DEC
_abort.LIBCMT ref: 00C62DF2

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 67b7e3c0ee43d680624a0cf7ab76b32fb1b081598c4477c6f0560be88958be89
Instruction ID: bcc90bd086aa0b186d674df6017f5b2cea46b8733823c00756d35c581a37a4c6
Opcode Fuzzy Hash: 67b7e3c0ee43d680624a0cf7ab76b32fb1b081598c4477c6f0560be88958be89
Instruction Fuzzy Hash: E9F0C832A04E0127C2322735BCD6F6E2659AFC27A1F254418F838921E2EF248902E271

Function 00CC8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C49693
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496A2
Part of subcall function 00C49639: BeginPath.GDI32(?), ref: 00C496B9
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CC8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00CC8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CC8A70
LineTo.GDI32(?,00000000,00000003), ref: 00CC8A80
EndPath.GDI32(?), ref: 00CC8A90
StrokePath.GDI32(?), ref: 00CC8AA0

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 913e04555cb23564d6194dd92f9515d21501ec0f3b57728f2ecc8c7c85f89a70
Instruction ID: b70bef24f8c6e575c903cedeba8a1d0096b7b8554c3af9bcc25f8ab97cf4b668
Opcode Fuzzy Hash: 913e04555cb23564d6194dd92f9515d21501ec0f3b57728f2ecc8c7c85f89a70
Instruction Fuzzy Hash: 0F110576400108FFEB129F90EC88FAA7F6CEB08350F048026FA599A1A1C7719E55DFA0

Function 00C951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C95218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C95229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C95230
ReleaseDC.USER32(00000000,00000000), ref: 00C95238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C9524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C95261

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c62bbe78c5cbbfd095d5817f5fdbc5eb85731ff8f02871f5a1452e1780de1d1d
Instruction ID: 9f17664071b623ce1e952d2de5406f3fdc371e2da19d5c66a6345db6b10011aa
Opcode Fuzzy Hash: c62bbe78c5cbbfd095d5817f5fdbc5eb85731ff8f02871f5a1452e1780de1d1d
Instruction Fuzzy Hash: D5014475A01B14BBEF105BA5DD89F5EBFB8EB44751F044065FA08A7281D6709901CB60

Function 00C31BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C31BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C31BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C31C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C31C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C31C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C31C22

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 413bbed8013195024636844e4c60438e6e22cc24d418be6df479e9d131634a18
Instruction ID: cd9ec7bd3a049804802bfd62530fd02057dccf4c5c45e1ec29ddb0ea3b3c3b21
Opcode Fuzzy Hash: 413bbed8013195024636844e4c60438e6e22cc24d418be6df479e9d131634a18
Instruction Fuzzy Hash: F40167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 00C9EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C9EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C9EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00C9EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9EB75

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 15a9b7e13d1947610ef882aa417f4aee87405a34c8c4f3ef0ed288f0db858d6a
Instruction ID: f8c6f6b0fed7612d23d57e9bde0bd6a374dc809bcdf3226d025cecdad43f041f
Opcode Fuzzy Hash: 15a9b7e13d1947610ef882aa417f4aee87405a34c8c4f3ef0ed288f0db858d6a
Instruction Fuzzy Hash: C5F03A72A40158BBE7215B63DD4EFEF3A7CEFCAB15F000158F615E1091D7A05A01C6B5

Function 00C87439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00C87452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C87469
GetWindowDC.USER32(?), ref: 00C87475
GetPixel.GDI32(00000000,?,?), ref: 00C87484
ReleaseDC.USER32(?,00000000), ref: 00C87496
GetSysColor.USER32(00000005), ref: 00C874B0

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b043206e713b46a6a2a0a65290c89f675c81780275c370a19b645ed991b8d120
Instruction ID: 44fa54e587b186ed66f1bccf728feedc2aa83771afd91f00d264f33c70732c05
Opcode Fuzzy Hash: b043206e713b46a6a2a0a65290c89f675c81780275c370a19b645ed991b8d120
Instruction Fuzzy Hash: DE014631400215FFEB51AFA4DD48FAE7BB5FB04321F650164FA2AA21A1CB311E52EF60

Function 00C91874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C9187F
UnloadUserProfile.USERENV(?,?), ref: 00C9188B
CloseHandle.KERNEL32(?), ref: 00C91894
CloseHandle.KERNEL32(?), ref: 00C9189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C918A5
HeapFree.KERNEL32(00000000), ref: 00C918AC

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1a9e555ec20b55805698043df5eeda49b1303e5b9723a3d4e5107b943e6cd7d4
Instruction ID: 564601ed26d3b5f8ca394b2a834036e0cacdc73d3d422da3dbed05c7f74b17d7
Opcode Fuzzy Hash: 1a9e555ec20b55805698043df5eeda49b1303e5b9723a3d4e5107b943e6cd7d4
Instruction Fuzzy Hash: 2BE0C236404501BBDB015BA2ED4CF4EBB29FB49B22B148220F22981470CB329420DB50

Function 00C9C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C9C6EE
_wcslen.LIBCMT ref: 00C9C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C9C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C9C7CA

Strings

0, xrefs: 00C9C6AF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ba3d843e6867bb1018e92c2366879bee069dbe3c65963ef7485126f7fcec57d1
Instruction ID: 08616583d18ad73fe2446a925a53fba77c6b207ed18225bdba80d0675939ed64
Opcode Fuzzy Hash: ba3d843e6867bb1018e92c2366879bee069dbe3c65963ef7485126f7fcec57d1
Instruction Fuzzy Hash: 1551BE716143019BDB149F68C8C9B6BB7E8AF89314F040A2DF9A5D32E0DB70DA44DF62

Function 00CBAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CBAEA3

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

GetProcessId.KERNEL32(00000000), ref: 00CBAF38
CloseHandle.KERNEL32(00000000), ref: 00CBAF67

Strings

<, xrefs: 00CBAE6B
@, xrefs: 00CBAE72

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 17c544f8b118efcf208031b9662b9acf2fb103d8339d1b067c2eb4aaf4e16801
Instruction ID: f65a1834edd79e5c1846d977c8a9d0091023992578d0c2f52bcf9d718d3f7490
Opcode Fuzzy Hash: 17c544f8b118efcf208031b9662b9acf2fb103d8339d1b067c2eb4aaf4e16801
Instruction Fuzzy Hash: AC715975A00619DFCB14DFA5C484A9EBBF0FF08314F048499E896AB3A2C774EE45DB91

Function 00C9719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C97206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C9723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C9724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C972CF

Strings

DllGetClassObject, xrefs: 00C97242

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e38342f25bb3cbee2448e3beb655cdcfe3ab6107b1e4c3b4690574265f79a357
Instruction ID: c94af2e4c131182f2a3762feac2fabf67362df9834204e21cb4ff3cbe9314f72
Opcode Fuzzy Hash: e38342f25bb3cbee2448e3beb655cdcfe3ab6107b1e4c3b4690574265f79a357
Instruction Fuzzy Hash: A4418E71625604EFDF15CF55C888B9A7BA9EF44710F2581ADFD099F20AD7B0DA40CBA0

Function 00CC3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC3E35
IsMenu.USER32(?), ref: 00CC3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC3E92
DrawMenuBar.USER32 ref: 00CC3EA5

Strings

0, xrefs: 00CC3D89

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 37c7d76f29fe24a54f96367194bf450bb46aefbc49f986d0b66807661a46bc41
Instruction ID: 197cb634c908acf75219579f4c2d11b683e30326883f9c167aab2bf79d409997
Opcode Fuzzy Hash: 37c7d76f29fe24a54f96367194bf450bb46aefbc49f986d0b66807661a46bc41
Instruction Fuzzy Hash: E3414675A00249AFDB10DF50E884FAABBB9FF49354F04812DE925A7350D730AE85DFA0

Function 00C91DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C91E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C91E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C91EA9

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Strings

ComboBox, xrefs: 00C91DF0
ListBox, xrefs: 00C91E25

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 8843edc1534e2d0a0ee6d5017267932f05dbea565c65a90de746b2f9f4bda5ea
Instruction ID: e6810aa35cc0b7628481310765fcc197df6856fc66cf271912a0487ab9b5e548
Opcode Fuzzy Hash: 8843edc1534e2d0a0ee6d5017267932f05dbea565c65a90de746b2f9f4bda5ea
Instruction Fuzzy Hash: D721F375A00104BBDF14AB64DC8EDFFB7B8EF45350F144129FD25A71E1DB744A0AA620

Function 00CBC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CBC9F1
_wcslen.LIBCMT ref: 00CBCA68
_wcslen.LIBCMT ref: 00CBCA9E
_wcslen.LIBCMT ref: 00CBCAF9
_wcslen.LIBCMT ref: 00CBCB2F
_wcslen.LIBCMT ref: 00CBCB7F

Strings

HKLM, xrefs: 00CBCA98, 00CBCA9D
HKEY_LOCAL_MACHINE, xrefs: 00CBCA62, 00CBCA67

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 8aac020cdcf89a20fff693bd1939dadc7d2386e6f48c41a3745bc47dcaf2c41c
Instruction ID: afb09ecad322fd6f42739369dde1033f5e8b008f8a7ac65cf7963740be0193f9
Opcode Fuzzy Hash: 8aac020cdcf89a20fff693bd1939dadc7d2386e6f48c41a3745bc47dcaf2c41c
Instruction Fuzzy Hash: C231D072A0016A8ACB20DF6CD9C11FE33919BA1754F154129EC65AB385EA71CF84B3A1

Function 00CC2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CC2F8D
LoadLibraryW.KERNEL32(?), ref: 00CC2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CC2FA9
DestroyWindow.USER32(?), ref: 00CC2FB1

Strings

SysAnimate32, xrefs: 00CC2F68

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5745c1fb23d1c728b820a93630423e331855793af8e08bdf66d8c1e83fc1297a
Instruction ID: e0ab4f80ed7a7112965bd3215bed84a85248fccd720db3586187332052d84b7a
Opcode Fuzzy Hash: 5745c1fb23d1c728b820a93630423e331855793af8e08bdf66d8c1e83fc1297a
Instruction Fuzzy Hash: 2421CD71600229AFEB218FA4DC80FBB77BDEB59364F10422CFA64D2190D771DC51A760

Function 00C54D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C54D1E,00C628E9,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002), ref: 00C54D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C54DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C54D1E,00C628E9,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002,00000000), ref: 00C54DC3

Strings

mscoree.dll, xrefs: 00C54D86
CorExitProcess, xrefs: 00C54D98

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 20e531e8b4a38674a46d969b008749eff97081a1880d04877313a8fb2dee8154
Instruction ID: a0f3e871e1c1e71c19ed9ccc0ade0286e017a9aaf424186608b7b911e0e3adb0
Opcode Fuzzy Hash: 20e531e8b4a38674a46d969b008749eff97081a1880d04877313a8fb2dee8154
Instruction Fuzzy Hash: E7F0AF34A00208BBDB149F94DC89FEEBFF4EF04712F0400A4FD09A2260CB305A84DA94

Function 00C34E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C34EAE
FreeLibrary.KERNEL32(00000000,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34EC0

Strings

kernel32.dll, xrefs: 00C34E94
Wow64DisableWow64FsRedirection, xrefs: 00C34EA8

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 013d85ec19c4e6e4a3a25e80dfb7a06a14bd8f73b735e240de7e0330fceb10a4
Instruction ID: 2230722403cb74e1c9c8f910f45e66a5402d8ef5cf33af1e4fbf79d46bf95cd3
Opcode Fuzzy Hash: 013d85ec19c4e6e4a3a25e80dfb7a06a14bd8f73b735e240de7e0330fceb10a4
Instruction Fuzzy Hash: 98E0CD36E115225BD2311726EC58F6FA554AFC1F62F090125FD08D2150DB60DE0240A1

Function 00C34E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C34E74
FreeLibrary.KERNEL32(00000000,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E87

Strings

kernel32.dll, xrefs: 00C34E5B
Wow64RevertWow64FsRedirection, xrefs: 00C34E6E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 19a05df5d95f7e3181a265b87ad88e79f545d8a0667cd592c38273fb6398ce43
Instruction ID: d77244a13622a7278372d9f0474ee81c4ad6e73069f98e9894c7e04bcf7f6f79
Opcode Fuzzy Hash: 19a05df5d95f7e3181a265b87ad88e79f545d8a0667cd592c38273fb6398ce43
Instruction Fuzzy Hash: 4AD05B379126316756361B66FC5CF9FAA18AF85F517090525F919E2114CF60DF02C5D0

Function 00CA2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA2C05
DeleteFileW.KERNEL32(?), ref: 00CA2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CA2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA2CC0

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c68170915dea65d4d729f3905c2c3b43707c1b876c64180f2bc1a1f174668175
Instruction ID: a1348f93f34bec373b09833f29133a77fd68a50e5048e1a766e4c7385ecdd3f9
Opcode Fuzzy Hash: c68170915dea65d4d729f3905c2c3b43707c1b876c64180f2bc1a1f174668175
Instruction Fuzzy Hash: 7CB16E72D0012AABDF25DFA8CC85EDEB77DEF49314F1040A6FA09E6141EA319E449F61

Function 00CBA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00CBA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CBA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CBA468
CloseHandle.KERNEL32(?), ref: 00CBA63D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 852b64321e427ef3cbe11d8fac4b667a2872fd30bb17e11e01886def7128aa72
Instruction ID: b6c3130789f53a5619f68c6bc33c205eca4be233cee6d74012a787131799cbf2
Opcode Fuzzy Hash: 852b64321e427ef3cbe11d8fac4b667a2872fd30bb17e11e01886def7128aa72
Instruction Fuzzy Hash: 5EA1A371604301AFD720DF28C886F6AB7E5AF88714F14885DF69A9B292D770ED41CB92

Function 00C9E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C9CF22,?), ref: 00C9DDFD

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C9CF22,?), ref: 00C9DE16

Part of subcall function 00C9E199: GetFileAttributesW.KERNEL32(?,00C9CF95), ref: 00C9E19A

lstrcmpiW.KERNEL32(?,?), ref: 00C9E473
MoveFileW.KERNEL32(?,?), ref: 00C9E4AC
_wcslen.LIBCMT ref: 00C9E5EB
_wcslen.LIBCMT ref: 00C9E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C9E650

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f0a1e56b008663d0e2aac35998b12d444444886b6d810f8c22de06d4a44c7deb
Instruction ID: 24edc0ceaa930685724101d4355b36567c6e35a4cef2328b866029c57e8153e3
Opcode Fuzzy Hash: f0a1e56b008663d0e2aac35998b12d444444886b6d810f8c22de06d4a44c7deb
Instruction Fuzzy Hash: F15172B24083859BCB24EB90DC859DFB3ECAF95340F00491EF599D3191EF74A688D76A

Function 00CBB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CBBB63
RegCloseKey.ADVAPI32(?,?), ref: 00CBBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00CBBBB3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: e3f7d7085079496f35565a1a533b180a7f3c553c8e70f243602c56b1e7a4611f
Instruction ID: 0df58c10b1fce9c61eff87069ca39fb0e307e9befd26839c67c25b417fd48006
Opcode Fuzzy Hash: e3f7d7085079496f35565a1a533b180a7f3c553c8e70f243602c56b1e7a4611f
Instruction Fuzzy Hash: 1D619F31218241AFD714DF24C890F6ABBE5FF84308F14895CF49A8B2A2DB71ED45DB92

Function 00C98BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C98BCD
VariantClear.OLEAUT32 ref: 00C98C3E
VariantClear.OLEAUT32 ref: 00C98C9D
VariantClear.OLEAUT32(?), ref: 00C98D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C98D3B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c48b9a4aa1a6beb5cc96559c519c2a3f6e5fe570457f4dd566d3c699f51843c4
Instruction ID: 1e1e3f0a0959502abee9eb98d0b1e81a9b67c6b3b03a7ba47bc5a835ba0151d0
Opcode Fuzzy Hash: c48b9a4aa1a6beb5cc96559c519c2a3f6e5fe570457f4dd566d3c699f51843c4
Instruction Fuzzy Hash: E55159B5A0021AEFCB14CF68C894EAAB7F8FF89310B158559E919DB350E730E911CF90

Function 00CA8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CA8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00CA8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CA8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CA8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CA8C5F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 36b7632bf37937e6d085a1f1092138f270a108dc8698d738c77cae73e248772c
Instruction ID: 8812142bae495b67768074fa59e336deba0e47c6c83c5e3b375ae1cfa43befa0
Opcode Fuzzy Hash: 36b7632bf37937e6d085a1f1092138f270a108dc8698d738c77cae73e248772c
Instruction Fuzzy Hash: E7513875A00219AFCB14DF65C880A6EBBF5FF49318F088058E849AB362CB31ED51DF90

Function 00CB8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CB8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00CB8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CB8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00CB9032
FreeLibrary.KERNEL32(00000000), ref: 00CB9052

Part of subcall function 00C4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00CA1043,?,753CE610), ref: 00C4F6E6
Part of subcall function 00C4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C8FA64,00000000,00000000,?,?,00CA1043,?,753CE610,?,00C8FA64), ref: 00C4F70D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 949b566d5e2d09f2fc08d080d788bfc8301b970745cae647260b59beaebcdf64
Instruction ID: e4296553283010fb5294a9131c3c8d953bed3c83b41bccb8093d004f03ff9f5b
Opcode Fuzzy Hash: 949b566d5e2d09f2fc08d080d788bfc8301b970745cae647260b59beaebcdf64
Instruction Fuzzy Hash: FE513735604205DFCB15EF58C4949EDBBB1FF49314F0880A8E91A9B362DB31EE86CB91

Function 00CC6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CC6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00CC6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CC6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00CAAB79,00000000,00000000), ref: 00CC6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CC6CC7

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 7ff7d59b7c01b703bb24cfb4d3ec6e7b55bea524aaca8c4b0df5bb633d173a1a
Instruction ID: d8e3aa2ffee4f69217ff175e18781dccbd69c4a3bc906454edae5d6ea2d6a630
Opcode Fuzzy Hash: 7ff7d59b7c01b703bb24cfb4d3ec6e7b55bea524aaca8c4b0df5bb633d173a1a
Instruction Fuzzy Hash: 1441C535A04104AFD724CF29CE98FA97BA5EB09350F15026CF9A9E73E1C771EE41DA50

Function 00C62051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C620C3
_free.LIBCMT ref: 00C620E3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3c99bab2d829d991c12d7363aa506eca89447b59b917057da368d53add887b96
Instruction ID: 0b45cfedf8bdef17851273e0d9c075bc36c69aa5973b36ddb1e820d528b205a8
Opcode Fuzzy Hash: 3c99bab2d829d991c12d7363aa506eca89447b59b917057da368d53add887b96
Instruction Fuzzy Hash: C741B232A006049FCB34DF78C9C1A6DB7E5EF89314F154569E916EB392DA31AE01DB81

Function 00C4912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C49141
ScreenToClient.USER32(00000000,?), ref: 00C4915E
GetAsyncKeyState.USER32(00000001), ref: 00C49183
GetAsyncKeyState.USER32(00000002), ref: 00C4919D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d7fc327c22661e6a20fabe9a26759984c31db5cc2110875095b6606022a23f89
Instruction ID: 26c2f5afdc02bd5e1ee43f1f6f35938ea7a162d955f5e0f51c59c7f1e9b30fff
Opcode Fuzzy Hash: d7fc327c22661e6a20fabe9a26759984c31db5cc2110875095b6606022a23f89
Instruction Fuzzy Hash: 1141403190851AFBDF15AF64C848BEEB774FB05324F204319E439A72D0D734AA50DB51

Function 00CA3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CA38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00CA3922
TranslateMessage.USER32(?), ref: 00CA394B
DispatchMessageW.USER32(?), ref: 00CA3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CA3966

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: eb55ccee983e85a92219e5c3c91cefaddac09ccfa7071f6f8c4bae77d620048b
Instruction ID: b8e5da05062753c603d3be1800a8c734406b83d8364946134f57ccfeb6f7f04a
Opcode Fuzzy Hash: eb55ccee983e85a92219e5c3c91cefaddac09ccfa7071f6f8c4bae77d620048b
Instruction Fuzzy Hash: E63185749043C39EEB25CB75D868BB737A8AB06308F04456DF47AC61E0E7B49785DB21

Function 00CACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00CACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACFF2

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: f5aac9f0a0d207fc49c31dce93ab191b25b1104ffaeb20f713a822c02f313a24
Instruction ID: 56883393f384b5514a094ab1567b609f193c736c0d86003c25f071c499595995
Opcode Fuzzy Hash: f5aac9f0a0d207fc49c31dce93ab191b25b1104ffaeb20f713a822c02f313a24
Instruction Fuzzy Hash: 7B314B71904206AFDB20DFE5CCC4AAEBBF9EB15359B10442EF51AD2150DB30AE41DB60

Function 00C91901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C91915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00C919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C919E2

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2e044a2cfe9e5b640970413cf2ab21beb15abbe51d7ad71a5094ddf957e9f6e9
Instruction ID: 6a96ed865d19a1192dc4d156b9e9f0f0d783a4bf95e03f22f6529f731b5c07a4
Opcode Fuzzy Hash: 2e044a2cfe9e5b640970413cf2ab21beb15abbe51d7ad71a5094ddf957e9f6e9
Instruction Fuzzy Hash: 8A319C71A0021AEFDB00CFA8C99EB9E3BB5EB04315F154229FD25A72D1C7709A54CB90

Function 00CC5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CC5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CC579D
_wcslen.LIBCMT ref: 00CC57AF
_wcslen.LIBCMT ref: 00CC57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC5816

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9b9d3c9032c7fb313b86ddbb526e098689559e6d40e964c04a445dac07c52032
Instruction ID: 2ce8063b1c317b2f2de324dbaa907975eeb5bec223498e023514dc5b43223898
Opcode Fuzzy Hash: 9b9d3c9032c7fb313b86ddbb526e098689559e6d40e964c04a445dac07c52032
Instruction Fuzzy Hash: 8E216F75904618AADB209FA1CC85FEE77BCFF04724F10825AF929EA180D770AAC5CF54

Function 00CB0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CB0951
GetForegroundWindow.USER32 ref: 00CB0968
GetDC.USER32(00000000), ref: 00CB09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00CB09B0
ReleaseDC.USER32(00000000,00000003), ref: 00CB09E8

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 277239350bd44a39832c5ad2bf025e2df17b44b1bf87329b505fa803ed1d1b7e
Instruction ID: 4227abba0c38bdbd7ed2fa88f04fc0b58952f15b7b27182ef079fb19324b1f16
Opcode Fuzzy Hash: 277239350bd44a39832c5ad2bf025e2df17b44b1bf87329b505fa803ed1d1b7e
Instruction Fuzzy Hash: E7218135A00204AFD704EF65C988FAEBBF9EF49740F148068F85A97752CB30AD04DB50

Function 00C6CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C6CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C6CDE9

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C6CE0F
_free.LIBCMT ref: 00C6CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C6CE31

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 518ccf1167f5e0f110377b46e7bd4b81caf7af680443a7d5748e994343065e8a
Instruction ID: 520e5d7497bed13481133e2bd4dfc8a40a67dafed8a73d980125cfd5e437bf1d
Opcode Fuzzy Hash: 518ccf1167f5e0f110377b46e7bd4b81caf7af680443a7d5748e994343065e8a
Instruction Fuzzy Hash: D301D472A062157F233116B7ACC8E7F797DDEC6BA13190129F909C7201EA668E0191B0

Function 00C49639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C49693
SelectObject.GDI32(?,00000000), ref: 00C496A2
BeginPath.GDI32(?), ref: 00C496B9
SelectObject.GDI32(?,00000000), ref: 00C496E2

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7db561ce5a0cbb3b53164e08d96303524b9792648b557b037410be707195e395
Instruction ID: 7b2a34df3ef234e19b49f9a2b8cb72140a24f3ad77560a69252e470619fbb6e1
Opcode Fuzzy Hash: 7db561ce5a0cbb3b53164e08d96303524b9792648b557b037410be707195e395
Instruction Fuzzy Hash: E9213934802315EBDB119F65EC58BEE3BA9FB50365F15021AF428A62A0D3709992DFA4

Function 00C95711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C95726
_memcmp.LIBVCRUNTIME ref: 00C95744
_memcmp.LIBVCRUNTIME ref: 00C95757
_memcmp.LIBVCRUNTIME ref: 00C9576F
_memcmp.LIBVCRUNTIME ref: 00C95787

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9e718d3c7bcd77f49c31ce5d394ac2a0bbeae16c63fc471ccc3f4e915c6e6042
Instruction ID: 0b26477cae86cf08df936a467a3a4ab51a3653dd54907bcfa8f52653a18d158c
Opcode Fuzzy Hash: 9e718d3c7bcd77f49c31ce5d394ac2a0bbeae16c63fc471ccc3f4e915c6e6042
Instruction Fuzzy Hash: 730145A5341608BBDA095651ED9AFBB334D9B20395F040038FD049A640F730EF5183A4

Function 00C62DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C5F2DE,00C63863,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6), ref: 00C62DFD
_free.LIBCMT ref: 00C62E32
_free.LIBCMT ref: 00C62E59
SetLastError.KERNEL32(00000000,00C31129), ref: 00C62E66
SetLastError.KERNEL32(00000000,00C31129), ref: 00C62E6F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 82325e7e1fa29bf80e9aba94fb25ac567530fbf43e6fc0268105fd20d7893488
Instruction ID: 30fce1f55e9eb4f57f32697549e009b9219967923249df592822675ac97cb537
Opcode Fuzzy Hash: 82325e7e1fa29bf80e9aba94fb25ac567530fbf43e6fc0268105fd20d7893488
Instruction Fuzzy Hash: B801F436645E006BC73227356CC5F6F265DABD13A2B254038F435A22E3EB268D015120

Function 00C9000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?,?,00C9035E), ref: 00C9002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?), ref: 00C90064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90070

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 166fd4f53e66b26697edb8d864bd6b4a198247ce425d35b5763db28fa115e5bb
Instruction ID: ec55ff35b4a0b7f0d49321ad77de1af904a1a372fbee323594b2943ebb8ce6be
Opcode Fuzzy Hash: 166fd4f53e66b26697edb8d864bd6b4a198247ce425d35b5763db28fa115e5bb
Instruction Fuzzy Hash: E3018B72600204BFDF108F69DC88FAE7BEDEB44792F245124F909D2210E775DE408BA0

Function 00C9E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C9E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00C9E9A5
Sleep.KERNEL32(00000000), ref: 00C9E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00C9E9B7
Sleep.KERNEL32 ref: 00C9E9F3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6806ac6c49335c9cd6249a2a583330c6e902b0f139060c4891d61dbdefc05438
Instruction ID: 7e650eb67f08105a2604ac07e1a5008ec795fd0854d4d6f178bcbf4bf239c1bc
Opcode Fuzzy Hash: 6806ac6c49335c9cd6249a2a583330c6e902b0f139060c4891d61dbdefc05438
Instruction Fuzzy Hash: A0011B31C01529DBCF00EBE5DC9DBDDBB78FB19701F060556E516B2151CB309A6587A1

Function 00C910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C91114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C9112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9114D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 51a606f756e26903688a9b39e70d1ef07c9edae9782f4b974f8f7dc9423ff424
Instruction ID: a12901f5b3a2fd9cea489fc2cfd959c69c8acd8a4fd1bab12fffd8b0b51cecc4
Opcode Fuzzy Hash: 51a606f756e26903688a9b39e70d1ef07c9edae9782f4b974f8f7dc9423ff424
Instruction Fuzzy Hash: 1C01F675200205BFDB114FA5DC8DF6E3B6EEF892A0B284419FA49D6260DB31DD119B60

Function 00C90FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C90FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C90FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C90FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C90FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C91002

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9d996641d884b34500798d9a6552fefb450580f75ae716e0687d44884a2c5445
Instruction ID: 5aec05b60f408a881dbd5bda9915e64aa4cc75b0bf10ec12926145070bcbae9f
Opcode Fuzzy Hash: 9d996641d884b34500798d9a6552fefb450580f75ae716e0687d44884a2c5445
Instruction Fuzzy Hash: 34F03735200302EFDB214FA5EC8EF5A3BA9EF89762F184414FE5986251CA71D8508A60

Function 00C91014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C9102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C91036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91062

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c03a1c6b25e023b6a9ba50ed474343f117fa8f32b75d345974f63f0271333c1f
Instruction ID: 2096eff65c76a88b5d559761f38e6cdc1b1c8691a58e10929df077afbaee4337
Opcode Fuzzy Hash: c03a1c6b25e023b6a9ba50ed474343f117fa8f32b75d345974f63f0271333c1f
Instruction Fuzzy Hash: 7BF06D35200302EBDB215FA5EC8DF5A3BADFF897A1F180414FE59C7250CA71D9508A60

Function 00CA030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0324
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0331
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA033E
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA034B
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0358
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0365

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8c23446e86373e27b75551ea40867caddd50d74ef94d1e46a31339cc2a71c9f5
Instruction ID: b55387ca4953e58ac621422dc86c8ebb9b99c9e428943070025b1a28e6f98aac
Opcode Fuzzy Hash: 8c23446e86373e27b75551ea40867caddd50d74ef94d1e46a31339cc2a71c9f5
Instruction Fuzzy Hash: 3601A272801B169FCB309F66D880816F7F5BF613593258A3FD1A652931C371AA54DF80

Function 00C6D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C6D752

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6D764
_free.LIBCMT ref: 00C6D776
_free.LIBCMT ref: 00C6D788
_free.LIBCMT ref: 00C6D79A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8c070427638ae1afd4f02595af738164ccf61723c879832032a397fd6d678e6c
Instruction ID: 11e1d4673e47b3ec5c00d1d865601c391c9908df6634cec7fe33d250efef2cd6
Opcode Fuzzy Hash: 8c070427638ae1afd4f02595af738164ccf61723c879832032a397fd6d678e6c
Instruction Fuzzy Hash: FAF03632B44608AB8635EB64FAC5E2A77DDBB44750B940C05F059D7545CB30FD80D666

Function 00C95C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C95C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C95C6F
MessageBeep.USER32(00000000), ref: 00C95C87
KillTimer.USER32(?,0000040A), ref: 00C95CA3
EndDialog.USER32(?,00000001), ref: 00C95CBD

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2ba5e4b91791abadb475487d633fd4e93a9cf1a4aa0421a738001d03d946c1b4
Instruction ID: 9257a76e6cc7fe96fa8fca62a221ce8d8021b4ab66b2bebf1588d3b113714bf7
Opcode Fuzzy Hash: 2ba5e4b91791abadb475487d633fd4e93a9cf1a4aa0421a738001d03d946c1b4
Instruction Fuzzy Hash: 7E018130500B04ABEF215B10DE8EFEA77B8BB04B05F000559F697A15E1DBF0AA848B90

Function 00C622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C622BE

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C622D0
_free.LIBCMT ref: 00C622E3
_free.LIBCMT ref: 00C622F4
_free.LIBCMT ref: 00C62305

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9b0528dea1c1aa2a9c3760d7c08ced89968f16a131cb65462f75733daf3a5e80
Instruction ID: ace9e2f7105591842ce2a267224b4b38fae66df16f3a3070db84eda6d7016f92
Opcode Fuzzy Hash: 9b0528dea1c1aa2a9c3760d7c08ced89968f16a131cb65462f75733daf3a5e80
Instruction Fuzzy Hash: 06F03074600B159BC726AF64BC82B5C3FA4BB187A1B00050AF418D63B1C7300511BBB9

Function 00C495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C495D4
StrokeAndFillPath.GDI32(?,?,00C871F7,00000000,?,?,?), ref: 00C495F0
SelectObject.GDI32(?,00000000), ref: 00C49603
DeleteObject.GDI32 ref: 00C49616
StrokePath.GDI32(?), ref: 00C49631

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 75bfaa51788037d2469a2fecd701c4d68752d09c0554f8b5a75cd1f33a375793
Instruction ID: d789674bc78da7c305e5c217b2d11296c2737295910c6a72572f79a69608a7e3
Opcode Fuzzy Hash: 75bfaa51788037d2469a2fecd701c4d68752d09c0554f8b5a75cd1f33a375793
Instruction Fuzzy Hash: 67F0C439406308EBDB269F69ED5CBA93B65FB05322F148218F47E952F0C7348A95DF21

Function 00C60F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C610F9
__freea.LIBCMT ref: 00C61117

Part of subcall function 00C61537: _free.LIBCMT ref: 00C6154F

Strings

a/p, xrefs: 00C611DE
am/pm, xrefs: 00C6117A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: cbb427ce8cc57e884b8159d1ebdb11bbedca9757d063f56e0493bcb83479d97d
Instruction ID: 20e0097986e4e7330544d680253aa87985fc2a0ecc73897bceb1be608a978a1c
Opcode Fuzzy Hash: cbb427ce8cc57e884b8159d1ebdb11bbedca9757d063f56e0493bcb83479d97d
Instruction Fuzzy Hash: 14D1E131900246DADB349F69C8D57BEB7B1EF06302F2C4169ED26AB761D3359E80CB91

Function 00CB7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C50242: EnterCriticalSection.KERNEL32(00D0070C,00D01884,?,?,00C4198B,00D02518,?,?,?,00C312F9,00000000), ref: 00C5024D
Part of subcall function 00C50242: LeaveCriticalSection.KERNEL32(00D0070C,?,00C4198B,00D02518,?,?,?,00C312F9,00000000), ref: 00C5028A

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C500A3: __onexit.LIBCMT ref: 00C500A9

__Init_thread_footer.LIBCMT ref: 00CB7BFB

Part of subcall function 00C501F8: EnterCriticalSection.KERNEL32(00D0070C,?,?,00C48747,00D02514), ref: 00C50202
Part of subcall function 00C501F8: LeaveCriticalSection.KERNEL32(00D0070C,?,00C48747,00D02514), ref: 00C50235

Strings

5, xrefs: 00CB7C78
G, xrefs: 00CB7C7F
Variable must be of type 'Object'., xrefs: 00CB7C3A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: d867ec5bbad0621b68544678c8fce1b9b6f0c8af52d78db176b23f0e6726706d
Instruction ID: f1b049db6835b94c8651afd2c432c79406bb50b0670ba123dd406fdbd6a89b95
Opcode Fuzzy Hash: d867ec5bbad0621b68544678c8fce1b9b6f0c8af52d78db176b23f0e6726706d
Instruction Fuzzy Hash: BA91AC70A04209AFCF14EF64D895DEDBBB1FF84300F108159F8169B292DB71AE45DB51

Function 00C92716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C921D0,?,?,00000034,00000800,?,00000034), ref: 00C9B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C92760

Part of subcall function 00C9B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C9B3F8

Part of subcall function 00C9B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C9B355
Part of subcall function 00C9B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C92194,00000034,?,?,00001004,00000000,00000000), ref: 00C9B365
Part of subcall function 00C9B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C92194,00000034,?,?,00001004,00000000,00000000), ref: 00C9B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C9281A

Strings

@, xrefs: 00C92832

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 36202684350bd372df99ee0791b4731bbfc50bdd4727617ecd3115dccf1e80ac
Instruction ID: 1bd1f3fa693d0337665e4423c3fdf301601af7dda207a1a9defad1b88b266bd6
Opcode Fuzzy Hash: 36202684350bd372df99ee0791b4731bbfc50bdd4727617ecd3115dccf1e80ac
Instruction Fuzzy Hash: 97410972900218BFDF10DBA4D985FEEBBB8AF09700F104095FA95B7191DA706E45DBA1

Function 00C6172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00C61769
_free.LIBCMT ref: 00C61834
_free.LIBCMT ref: 00C6183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00C61760, 00C61767, 00C61796, 00C617CE

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: edb4bedccc5ff8f1ba92d1dbf30bb3c4626bd1c931d52b657bd1b72483f963db
Instruction ID: 198e8ea7c9d3ecd962c8319f16e11a470ec99600c01c645ac733599fa0e3edb7
Opcode Fuzzy Hash: edb4bedccc5ff8f1ba92d1dbf30bb3c4626bd1c931d52b657bd1b72483f963db
Instruction Fuzzy Hash: 95317E75A00218EBDB31DF9A98C5E9EBBFCEB89311B18416AF814D7251D6708A41DBA0

Function 00C9C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C9C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00C9C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D01990,016D54F0), ref: 00C9C395

Strings

0, xrefs: 00C9C2DF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: eb5f2937f63a31392ace18222f87427af98d6e1e4f806c669d28ab0af9fc6b50
Instruction ID: e9aeb6cad25199ca9322eaa7fec9cc5d53e22351a3c4c1de0370df328183788d
Opcode Fuzzy Hash: eb5f2937f63a31392ace18222f87427af98d6e1e4f806c669d28ab0af9fc6b50
Instruction Fuzzy Hash: 3141BF712443019FDB20DF29D8C8B9ABBE8BF85320F008A5DF8A5972E1D770E904DB52

Function 00CC4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CCCC08,00000000,?,?,?,?), ref: 00CC44AA
GetWindowLongW.USER32 ref: 00CC44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC44D7

Strings

SysTreeView32, xrefs: 00CC447C

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: efd30859a244153a7f44b296760d990e6e17070effd2ea9059e99f8771df6610
Instruction ID: 253494e1b93a039b6187cc0266705200565c960ae6555fd9b94cd063ba61b760
Opcode Fuzzy Hash: efd30859a244153a7f44b296760d990e6e17070effd2ea9059e99f8771df6610
Instruction Fuzzy Hash: 93319C31210605AFDB288F38DC95FEA7BA9EB08334F208729F979921E0D770ED519B50

Function 00CB304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CB3077,?,?), ref: 00CB3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CB307A
_wcslen.LIBCMT ref: 00CB309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00CB3106

Strings

255.255.255.255, xrefs: 00CB3095, 00CB309A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ff8f41cbc1beadd93694649c1a99bfa1d0eabb49fda64a33dee5569410bab7d5
Instruction ID: 9ed496df6e18e632ded9c0e08c5ed83564bdf273f9e03e646bb5206f2f1df04d
Opcode Fuzzy Hash: ff8f41cbc1beadd93694649c1a99bfa1d0eabb49fda64a33dee5569410bab7d5
Instruction Fuzzy Hash: 6331E1396002819FCB10DF68D885EAA77E4EF54318F248059E8258B3A2DB72EF45CB60

Function 00CC3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CC3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CC3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC3F78

Strings

SysMonthCal32, xrefs: 00CC3F0B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8c45e825696f12006024c46b1b011eb210cd9bed9325b1e4239c0940c30f5713
Instruction ID: ab29ad5064a6cfd5d271c4a4561f2913605a27f5ea4da6f5697646492cbe8aeb
Opcode Fuzzy Hash: 8c45e825696f12006024c46b1b011eb210cd9bed9325b1e4239c0940c30f5713
Instruction Fuzzy Hash: 5B21BC32610219BFDF258F90DC86FEE3B79EB48714F114258FA19AB1D0D6B1AD509BA0

Function 00CC4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CC4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CC4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CC471A

Strings

msctls_updown32, xrefs: 00CC4684

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5105a0d916c44058516ab0f221be4e9a5ff67aa4aafaf01160305cc95b252e7c
Instruction ID: 24f99df6ccbf2c6ded382081880749807d4a528ff35cc5018bf430d0cf7fc625
Opcode Fuzzy Hash: 5105a0d916c44058516ab0f221be4e9a5ff67aa4aafaf01160305cc95b252e7c
Instruction Fuzzy Hash: 87215CB5600208AFDB14DF64DCD1EAB37ADEB4A3A4B044059FA14DB351CB30ED51DB60

Function 00C995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9961D

Strings

#OnAutoItStartRegister, xrefs: 00C995F3
#requireadmin, xrefs: 00C995D9
#notrayicon, xrefs: 00C995B7

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 2bad58a0a1d52c4b4c675f56c3ab5106971010f48521848f3ccc2102f77c4924
Instruction ID: 7d4f6ad599985fc03118a6fe757838d29c2b5726e5102a109b3d920b7fd6d5a1
Opcode Fuzzy Hash: 2bad58a0a1d52c4b4c675f56c3ab5106971010f48521848f3ccc2102f77c4924
Instruction Fuzzy Hash: 15213872104510A6DB31AB2DDC1AFB773A8DF51310F10402EF95997041EBB1EE86D2D5

Function 00CC37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CC3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CC3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CC3876

Strings

Listbox, xrefs: 00CC380F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8202aed76fe7bb7c2e43ef5e825292366287ffad08f94f6ba78909b1ba808130
Instruction ID: 6d2a718a3ea56d4afb1a4a24450338be5da37aafab9bfa894d2212bb0657e451
Opcode Fuzzy Hash: 8202aed76fe7bb7c2e43ef5e825292366287ffad08f94f6ba78909b1ba808130
Instruction Fuzzy Hash: 3E21BE72610218BBEB219F54EC85FBB376EEF89750F118129F9149B190C671DD528BA0

Function 00CA49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CA4A5C
SetErrorMode.KERNEL32(00000000,?,?,00CCCC08), ref: 00CA4AD0

Strings

%lu, xrefs: 00CA4A6F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a9ee310a4edb3b921443049864cbd6d3561cfa90c9d61698489fb8038de37a54
Instruction ID: bf6b4b7f83e0fa76febc2376d90e31f91ef5b070be9edd19c77ee74782443f6e
Opcode Fuzzy Hash: a9ee310a4edb3b921443049864cbd6d3561cfa90c9d61698489fb8038de37a54
Instruction Fuzzy Hash: DA317171A00109AFDB10DF54C885EAE7BF8EF49308F1480A9F909DB252D771EE46DB61

Function 00CC41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CC424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CC4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CC4271

Strings

msctls_trackbar32, xrefs: 00CC4226

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 9d081a1ad0f4a25b998c0cb5e89fa050377d21fb2a128f2ed09a74d367530c53
Instruction ID: c0be4c41a019a79f4f143f94d32eb74c01fda5eac1dd828fbfb876eab3f8acb1
Opcode Fuzzy Hash: 9d081a1ad0f4a25b998c0cb5e89fa050377d21fb2a128f2ed09a74d367530c53
Instruction Fuzzy Hash: 1D110232240208BEEF205F29CC46FAB3BACEF85B64F014128FA55E20A0D271DC619B20

Function 00C92F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Part of subcall function 00C92DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C92DC5
Part of subcall function 00C92DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C92DD6
Part of subcall function 00C92DA7: GetCurrentThreadId.KERNEL32 ref: 00C92DDD
Part of subcall function 00C92DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C92DE4

GetFocus.USER32 ref: 00C92F78

Part of subcall function 00C92DEE: GetParent.USER32(00000000), ref: 00C92DF9

GetClassNameW.USER32(?,?,00000100), ref: 00C92FC3
EnumChildWindows.USER32(?,00C9303B), ref: 00C92FEB

Strings

%s%d, xrefs: 00C92FFF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 8e6c9eb609b38340e9670271d469c02bb59f6c79a47ed558bb0924682afd183a
Instruction ID: 59d947b1ec7317a189784d33b45e7b7b5bb5672e27b958e00940aa0a7c742d95
Opcode Fuzzy Hash: 8e6c9eb609b38340e9670271d469c02bb59f6c79a47ed558bb0924682afd183a
Instruction Fuzzy Hash: 3F11AF716002456BCF147F60CCC9FEE776AAF84304F048079FA099B292DF309A4AEB60

Function 00CC5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CC58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CC58EE
DrawMenuBar.USER32(?), ref: 00CC58FD

Strings

0, xrefs: 00CC588F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2f65c5c3ea421211cbbb4b2aeb3bdb72941a45b3cbe042045787be1cc0a13686
Instruction ID: e1d744c47e9d74e15f269c5202e06163c8276b9fcbcf3a65c23054da346e7dbe
Opcode Fuzzy Hash: 2f65c5c3ea421211cbbb4b2aeb3bdb72941a45b3cbe042045787be1cc0a13686
Instruction Fuzzy Hash: EF011771500218EEDB219F11DC44FAEBBB8FB85361F1080ADE849D6251DB319A96EF21

Function 00C8D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00C8D3BF
FreeLibrary.KERNEL32 ref: 00C8D3E5

Strings

X64, xrefs: 00C8D2A8
GetSystemWow64DirectoryW, xrefs: 00C8D3B9

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 427a6e91d40d75c0c5cb6f1b12fe0fb1f9d0a5db18aa6ec51d575dde7cbc9b17
Instruction ID: 28b67d44da87af34656fe8025f6c7d103c5659b433748ba0fd07151311cef336
Opcode Fuzzy Hash: 427a6e91d40d75c0c5cb6f1b12fe0fb1f9d0a5db18aa6ec51d575dde7cbc9b17
Instruction Fuzzy Hash: ECF0AB71841A20EBCB313212DC98F6D7320AF10705F5D816CF80BE21D4DB20CF41839A

Function 00C9007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8579415b3985e3c28030e7e900ad01684dbdc9ebbf9d9e57542da4e5fedff527
Instruction ID: ab210d7ed624c178e5d052448a251ca557eada402a2d3573f19f1a4858a16d10
Opcode Fuzzy Hash: 8579415b3985e3c28030e7e900ad01684dbdc9ebbf9d9e57542da4e5fedff527
Instruction Fuzzy Hash: CBC12B75A00216EFDB14CFA4C898BAEB7B5FF48704F208598E915EB261D731DE81DB90

Function 00C63E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C63F0B
__alldvrm.LIBCMT ref: 00C6410C
__alldvrm.LIBCMT ref: 00C6412E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 74dd1a6d1f4c88daba86cb50b780720eaaf84e5f66765901e2a165da7037f557
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 3DA17971E003969FDB3ACF58C8C17AEBBE4EF62350F1841ADE5959B281C2348E81C751

Function 00CB342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CB3459
CoUninitialize.OLE32 ref: 00CB3463
VariantInit.OLEAUT32(?), ref: 00CB346E
VariantClear.OLEAUT32(?), ref: 00CB371B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: db8eb8b89f9eede147ea6de43d5be2a46d49c9207063b0885508564f7a00fdaf
Instruction ID: 57012c5b9e42c1c4468febca0c5186d999b2a3fe36afd3b4c37dfe4b144c03f5
Opcode Fuzzy Hash: db8eb8b89f9eede147ea6de43d5be2a46d49c9207063b0885508564f7a00fdaf
Instruction Fuzzy Hash: 3CA188756143009FCB14DF29C485A6AB7E4FF88314F04895DF98AAB362DB30EE05DB92

Function 00C90436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CCFC08,?), ref: 00C905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CCFC08,?), ref: 00C90608
CLSIDFromProgID.OLE32(?,?,00000000,00CCCC40,000000FF,?,00000000,00000800,00000000,?,00CCFC08,?), ref: 00C9062D
_memcmp.LIBVCRUNTIME ref: 00C9064E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a5a24ec1ca5c99f23a153071bbab85e6240882d745db27877064982544b49cfb
Instruction ID: e7f8b2844b528f5b02ede13289d0bb70d7948ec82ac9ab015f070df90430099b
Opcode Fuzzy Hash: a5a24ec1ca5c99f23a153071bbab85e6240882d745db27877064982544b49cfb
Instruction Fuzzy Hash: 9F81B475A00109AFCF04DF94C988EAEB7B9FF89315F204598F516AB250DB71AE46CB60

Function 00CBA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CBA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00CBA6BA

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Process32NextW.KERNEL32(00000000,?), ref: 00CBA79C
CloseHandle.KERNEL32(00000000), ref: 00CBA7AB

Part of subcall function 00C4CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C73303,?), ref: 00C4CE8A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: be83426392cd41ae765d20f9982c8ae7d3364a5677956b397f9a3ad62296962b
Instruction ID: 9ad51539b33a7f3c611a5cff5dc4c0754e4c6333f9c09d796db1214be31260f0
Opcode Fuzzy Hash: be83426392cd41ae765d20f9982c8ae7d3364a5677956b397f9a3ad62296962b
Instruction Fuzzy Hash: 91513AB1508300AFD710EF25C886A6FBBE8FF89754F00891DF599972A1EB71D904DB92

Function 00C71391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C714C0

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 12626538c20106027fba629b82c6e62a9daf3166c55bd999395b0f4a28f60a47
Instruction ID: eb7a96c11009e716454cbbf47ed880375512e184108f4fe7a524eeeec498ffaf
Opcode Fuzzy Hash: 12626538c20106027fba629b82c6e62a9daf3166c55bd999395b0f4a28f60a47
Instruction Fuzzy Hash: 77415F756005006BDB356BFD8C86ABE3AA5EF41770F2CC625FC2DD7191E6348A427272

Function 00CC6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CC62E2
ScreenToClient.USER32(?,?), ref: 00CC6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CC6382

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 82d39dacfa54be5194551c17898c9c4e29ff3b54473030ef8ca237af92fa149e
Instruction ID: 05cd4f169e47fe2323f7c252066a1b049e6570c4ebb9d70f12b7df7376d9d735
Opcode Fuzzy Hash: 82d39dacfa54be5194551c17898c9c4e29ff3b54473030ef8ca237af92fa149e
Instruction Fuzzy Hash: 33510A74A00249EFDB10DF68DA80EAE7BB5EF45360F14816DF9659B2A0D730EE81CB50

Function 00CB1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CB1AFD
WSAGetLastError.WSOCK32 ref: 00CB1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CB1B8A
WSAGetLastError.WSOCK32 ref: 00CB1B94

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6925a7f7de2e10ead3e92ef1e9b3df1320226147c7b96eb1774bbd63aac307a0
Instruction ID: 1d34c62d13e3490934d58b8550b57138d18f2a41a8d64c43758e7b205a4d7949
Opcode Fuzzy Hash: 6925a7f7de2e10ead3e92ef1e9b3df1320226147c7b96eb1774bbd63aac307a0
Instruction Fuzzy Hash: 8341D074640200AFE720AF24C886F6A77E5AB44718F58C44CFA2A9F3D3D772ED419B90

Function 00C6B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d059b0dca9e5eefdb9e358d47f21e81204254b56331e85d08dfa44b5ca0d9a
Instruction ID: 242fdd91a851fc517375f8edccb7809b7aad17c993a32df740e3191036d5d1e4
Opcode Fuzzy Hash: d5d059b0dca9e5eefdb9e358d47f21e81204254b56331e85d08dfa44b5ca0d9a
Instruction Fuzzy Hash: F3413871A00314AFD734AF38CC81BBABBE9EB84710F10852EF556DB281D7719D818790

Function 00CA56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CA5783
GetLastError.KERNEL32(?,00000000), ref: 00CA57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CA57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CA57FA

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4968716e6bd8a19b12b974850041adacb4dcf3de453e42a83628af19d6bfbe78
Instruction ID: f3c93116c56df0b1292719617f0a30c4cb4dca18090b00023ff05dd77d1d3220
Opcode Fuzzy Hash: 4968716e6bd8a19b12b974850041adacb4dcf3de453e42a83628af19d6bfbe78
Instruction Fuzzy Hash: 21413E39610611DFCB25DF15C484A5DBBE1EF49324F18C488E85AAB362CB34FD00DB91

Function 00C6D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C56D71,00000000,00000000,00C582D9,?,00C582D9,?,00000001,00C56D71,8BE85006,00000001,00C582D9,00C582D9), ref: 00C6D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C6D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C6D9AB
__freea.LIBCMT ref: 00C6D9B4

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 52f2bb7d4744849122251456e54c61058422e85a2fe07fe976c2791a7bdbeb96
Instruction ID: da0e26a0042c6b59f55d420ab6fa07edd6f92e725fd62458a37764d1d553c2bc
Opcode Fuzzy Hash: 52f2bb7d4744849122251456e54c61058422e85a2fe07fe976c2791a7bdbeb96
Instruction Fuzzy Hash: 5631D072A1020AABDF249F65DC85EAF7BA5EB40310B054168FC15D7150EB35CE54DB90

Function 00CC52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00CC5352
GetWindowLongW.USER32(?,000000F0), ref: 00CC5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CC53A8

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 995147ffcebcc0dbeef3cd292a9962913d3b117009e6cd5667ce6508e819089f
Instruction ID: e16e33f28c18d0ce9f0479dfdd5ac617d53fce54df41cf73636e253f65bb03ec
Opcode Fuzzy Hash: 995147ffcebcc0dbeef3cd292a9962913d3b117009e6cd5667ce6508e819089f
Instruction Fuzzy Hash: CF31C234B55A88EFEB309F14CC45FE87765AB04390F5C410AFA25962F1C7B0BAC0AB51

Function 00C9AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00C9ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C9AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C9AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00C9ACC6

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 53c5f3d72d75b7bdeeccc60faeb698289c5d038a8363d740a72bf7f15051e4f2
Instruction ID: a40d70bf28f78054702df0dea4cdffe0386ffee576b9b486bdca9c5fe32ca850
Opcode Fuzzy Hash: 53c5f3d72d75b7bdeeccc60faeb698289c5d038a8363d740a72bf7f15051e4f2
Instruction Fuzzy Hash: 82310730A007186FEF35CB69CC0CBFE7BA5AB89311F04471AE4A59A1D1C3768A8597D2

Function 00CC7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CC769A
GetWindowRect.USER32(?,?), ref: 00CC7710
PtInRect.USER32(?,?,00CC8B89), ref: 00CC7720
MessageBeep.USER32(00000000), ref: 00CC778C

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8a2dd30742a4cca754f144abd2130697c26e51f9e5907b1515686c9604262967
Instruction ID: 6f104d155bb542ab8f5c4dc202c79a205c7201e7e2ed4e54f300db2a29f31301
Opcode Fuzzy Hash: 8a2dd30742a4cca754f144abd2130697c26e51f9e5907b1515686c9604262967
Instruction Fuzzy Hash: 22415B38A052189FCB12CF68D894FA977F5FB49314F1542ADE428DB261C730EA41CF90

Function 00CC16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CC16EB

Part of subcall function 00C93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C93A57
Part of subcall function 00C93A3D: GetCurrentThreadId.KERNEL32 ref: 00C93A5E
Part of subcall function 00C93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C925B3), ref: 00C93A65

GetCaretPos.USER32(?), ref: 00CC16FF
ClientToScreen.USER32(00000000,?), ref: 00CC174C
GetForegroundWindow.USER32 ref: 00CC1752

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f920892dd94352dd4080fbf10a8308293e71f06a4974a42c0351b73f5a344c7f
Instruction ID: 575bcfbda4dbb4dc14a448b5a5a2b6a378fbb6838ff3fa0c27a80ebb654641bf
Opcode Fuzzy Hash: f920892dd94352dd4080fbf10a8308293e71f06a4974a42c0351b73f5a344c7f
Instruction Fuzzy Hash: B9315075D10149AFCB04EFAAC8C1DAEB7F9EF49304B5480A9E415E7212DB319E45DFA0

Function 00C9DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

_wcslen.LIBCMT ref: 00C9DFCB
_wcslen.LIBCMT ref: 00C9DFE2
_wcslen.LIBCMT ref: 00C9E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C9E018

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: e6786b2fe287fbbddfae095799da3cbd3fba5f4c3bff1cf01f4b4bd300c44840
Instruction ID: c391ee3109276453f87cd2633034b9c7f9610d7dc0a9b7fa19a3d3308f240e86
Opcode Fuzzy Hash: e6786b2fe287fbbddfae095799da3cbd3fba5f4c3bff1cf01f4b4bd300c44840
Instruction Fuzzy Hash: AB21A175D00214AFCB20DFA8D982BAEB7F8EF45750F144069E905BB245D6709E81DBA1

Function 00CC8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

GetCursorPos.USER32(?), ref: 00CC9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C87711,?,?,?,?,?), ref: 00CC9016
GetCursorPos.USER32(?), ref: 00CC905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C87711,?,?,?), ref: 00CC9094

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e50552c74fee8a88b02070bec5e1874550844f23bd628c673b77456fd14782d3
Instruction ID: 038777007b108485128f51c0c3cbc68315fe3b3edd7e10a83ecd23074e06a723
Opcode Fuzzy Hash: e50552c74fee8a88b02070bec5e1874550844f23bd628c673b77456fd14782d3
Instruction Fuzzy Hash: 56217C35600118EFDB258F94D898FEA7BB9EB8D350F144069F9198B2A1C7319A90EB60

Function 00C9D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CCCB68), ref: 00C9D2FB
GetLastError.KERNEL32 ref: 00C9D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C9D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CCCB68), ref: 00C9D376

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 52dee55598d629c2a8cc03cf6d5a74aa313ac19e48a463f49fd1e122219a2e84
Instruction ID: 7f905be847fee09507ea24f2ba22cb3dd78e36704bd0f9366be9ca9b45a8f970
Opcode Fuzzy Hash: 52dee55598d629c2a8cc03cf6d5a74aa313ac19e48a463f49fd1e122219a2e84
Instruction Fuzzy Hash: 2F218D705082019F8B00DF28C88596EB7F4FF56365F104A1DF4AAE32A1D730DA46CB93

Function 00C91571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C9102A
Part of subcall function 00C91014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C91036
Part of subcall function 00C91014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91045
Part of subcall function 00C91014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9104C
Part of subcall function 00C91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C915BE
_memcmp.LIBVCRUNTIME ref: 00C915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C91617
HeapFree.KERNEL32(00000000), ref: 00C9161E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 13703f153b899b8eedf4ad04cd445457f518c4d6dc906506d47f24ef250642c2
Instruction ID: debbf63a68ead846fcac61f539add0e718f257ab83ee1d6fb666542ce4410a37
Opcode Fuzzy Hash: 13703f153b899b8eedf4ad04cd445457f518c4d6dc906506d47f24ef250642c2
Instruction Fuzzy Hash: AD217A31E4010AAFDF00DFA4C94ABEEB7B8EF44354F094459E855AB241E730AB05DBA0

Function 00CC2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CC280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CC2840

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1e50bc3adf6bde1f69dbf7be0c982b2fbba510bc1c6ae79e7a06680e4503f275
Instruction ID: 5f80873af8ffd701f5d6257b12025decfc194377e55663372acd5bf0bbca0da5
Opcode Fuzzy Hash: 1e50bc3adf6bde1f69dbf7be0c982b2fbba510bc1c6ae79e7a06680e4503f275
Instruction Fuzzy Hash: 9521B035204511AFD714DB24C895FAA7BA5EF85324F14815CF42ACB6E2CB71FD82CB90

Function 00C978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C98D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C9790A,?,000000FF,?,00C98754,00000000,?,0000001C,?,?), ref: 00C98D8C
Part of subcall function 00C98D7D: lstrcpyW.KERNEL32(00000000,?,?,00C9790A,?,000000FF,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C98DB2
Part of subcall function 00C98D7D: lstrcmpiW.KERNEL32(00000000,?,00C9790A,?,000000FF,?,00C98754,00000000,?,0000001C,?,?), ref: 00C98DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C97923
lstrcpyW.KERNEL32(00000000,?,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C97949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C97984

Strings

cdecl, xrefs: 00C9797B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1df5be5a3fedbe743bc69503551f8b4796d522743f430f114f5c522895bc08dc
Instruction ID: 13f433af09cc8294011cac38e70865225bca86a4023854371fedade771986d52
Opcode Fuzzy Hash: 1df5be5a3fedbe743bc69503551f8b4796d522743f430f114f5c522895bc08dc
Instruction Fuzzy Hash: 1711263A201302AFCF15AF35D848E7B77A9FF85750B10412AF906CB2A4EF319901D7A1

Function 00CC7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CC7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CC7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CC7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CAB7AD,00000000), ref: 00CC7D6B

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 9c045e9ef20e1fd912425aeee36b36b37f7e537e42ef4077e448e25ae44dfaf9
Instruction ID: 256e5b19cfe5aa10f1b66f65ca7aeb7578040d0c6c614477809e3b411021af6c
Opcode Fuzzy Hash: 9c045e9ef20e1fd912425aeee36b36b37f7e537e42ef4077e448e25ae44dfaf9
Instruction Fuzzy Hash: 58115C36605615AFCB109F28DC44FAA3BA5EF45360F258728F83AD72E0D7309A51DF90

Function 00CC5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00CC56BB
_wcslen.LIBCMT ref: 00CC56CD
_wcslen.LIBCMT ref: 00CC56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC5816

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: feeaa1b9e53d9ec9da69101d1774e3590c58ec26f255f8c896dde853b13279b3
Instruction ID: afaec9130d98ff7382f9d77ff4a79dab6c7950e060ab58a7bbfa046ce39ff4eb
Opcode Fuzzy Hash: feeaa1b9e53d9ec9da69101d1774e3590c58ec26f255f8c896dde853b13279b3
Instruction Fuzzy Hash: D611D375A00608A6DF20DF65CC85FEE77ACEF11764B10416EF925D6181E770EAC4CB64

Function 00C61D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cc64deef60291166ee6079e2a1516e06516f17cc3081aec2a95fd09159b634
Instruction ID: 5077cb2bd06ec382f9cd1906900ad6eca93097aa33ab2f291b86636ff7e43c4e
Opcode Fuzzy Hash: a6cc64deef60291166ee6079e2a1516e06516f17cc3081aec2a95fd09159b634
Instruction Fuzzy Hash: 8001D1B2609A163EFA322A796CC1F2B661CDF817B9F3C0325F931A12D2DB608D406170

Function 00C91A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C91A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C91A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C91A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C91A8A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 400b5feab5103df4dfc93fc1b9e72ca6e3d6b4778da65e4e1191c0c3258d92fc
Instruction ID: 35793562e6b7ff33a07fbdcd17bbc9d3b12ef654ca2f11f340397b1c93e73f2e
Opcode Fuzzy Hash: 400b5feab5103df4dfc93fc1b9e72ca6e3d6b4778da65e4e1191c0c3258d92fc
Instruction Fuzzy Hash: 0F11F73AD01219FFEF119BA5C985FADBB78EB08750F240091EA14B7290DA716E50EB94

Function 00C9E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C9E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00C9E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C9E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C9E24D

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: fcbdc133beec82da6ff7cc3e8265815b4b2b75c540b3a3c902966c6f5daa6c4c
Instruction ID: e2ae8dc95244783b38f786ca216041c805aa695ccafc381b7bbceabe67e9b63c
Opcode Fuzzy Hash: fcbdc133beec82da6ff7cc3e8265815b4b2b75c540b3a3c902966c6f5daa6c4c
Instruction Fuzzy Hash: 2011A176904258BBCB01DBA8EC49B9E7BACAB45720F144265F929E3391D6B0CA0487A0

Function 00C5D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C5CFF9,00000000,00000004,00000000), ref: 00C5D218
GetLastError.KERNEL32 ref: 00C5D224
__dosmaperr.LIBCMT ref: 00C5D22B
ResumeThread.KERNEL32(00000000), ref: 00C5D249

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: fa697764b90894e4584070dbc9067ec4d6c3822602bc722ce82aed3bc66637b0
Instruction ID: 97ef18a95fb2ff94235b1752317ac3ef33dd1763e3773295e2b56a223b8a7db7
Opcode Fuzzy Hash: fa697764b90894e4584070dbc9067ec4d6c3822602bc722ce82aed3bc66637b0
Instruction Fuzzy Hash: D501D67A4053047BC7315BA6DC45BAF7A69DF81333F140219FD26921D0DB70CD8AD6A4

Function 00CC9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

GetClientRect.USER32(?,?), ref: 00CC9F31
GetCursorPos.USER32(?), ref: 00CC9F3B
ScreenToClient.USER32(?,?), ref: 00CC9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00CC9F7A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f5645cf8ab6500bc6e75ecac6f22d4305558b5ed8dbb610850bac928f5444d8d
Instruction ID: f3043a2843e9e962fe50c3eda824a805e3cb2b68c2915ad7c395d50d5753ab4f
Opcode Fuzzy Hash: f5645cf8ab6500bc6e75ecac6f22d4305558b5ed8dbb610850bac928f5444d8d
Instruction Fuzzy Hash: 4911153690021AEBDB10DFA8D889FEE77B9FB45311F000459F911E3150D730BA92DBA1

Function 00C3600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C3604C
GetStockObject.GDI32(00000011), ref: 00C36060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C3606A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 823bb90a730aceae243310f73d50048abb2cadc8ea5512b82c33d9f45d163178
Instruction ID: d78d44e4792580d4151fcd0acbb8cb1dec2101a5590c1fd7fd269794397018e3
Opcode Fuzzy Hash: 823bb90a730aceae243310f73d50048abb2cadc8ea5512b82c33d9f45d163178
Instruction Fuzzy Hash: 44115B72511509BFEF164FA4DC85FEEBF69EF093A4F044215FA2892110DB32DD60ABA4

Function 00C53B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C53B56

Part of subcall function 00C53AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C53AD2
Part of subcall function 00C53AA3: ___AdjustPointer.LIBCMT ref: 00C53AED

_UnwindNestedFrames.LIBCMT ref: 00C53B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C53B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C53BA4

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d910e29e8ea132157d5c74ffd3aa5886169b47873306381bcb278e6d3e459757
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 76014C36100188BBDF125E95CC42EEB3F6EEF88799F044014FE5896121C732E9A5EBA4

Function 00C63073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C313C6,00000000,00000000,?,00C6301A,00C313C6,00000000,00000000,00000000,?,00C6328B,00000006,FlsSetValue), ref: 00C630A5
GetLastError.KERNEL32(?,00C6301A,00C313C6,00000000,00000000,00000000,?,00C6328B,00000006,FlsSetValue,00CD2290,FlsSetValue,00000000,00000364,?,00C62E46), ref: 00C630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C6301A,00C313C6,00000000,00000000,00000000,?,00C6328B,00000006,FlsSetValue,00CD2290,FlsSetValue,00000000), ref: 00C630BF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 8a7b1f73d673fe37de4ad697da77f9882ce14713afde59a9334cd63394529629
Instruction ID: 5f3e3869453636294de3c1d20d151a1e6b57e0a84a514f47c123de8fa8036065
Opcode Fuzzy Hash: 8a7b1f73d673fe37de4ad697da77f9882ce14713afde59a9334cd63394529629
Instruction Fuzzy Hash: 0601F732301262ABCB314B79ECC4F5B7B98EF45BA1B140620F929E3180C721DA0AC7E0

Function 00C97464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C9747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C97497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C974CA

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 69fe6135a163bac38071e5037b9945b8b82368af5ff1a406cc59e59167008669
Instruction ID: 488b5e183bbab7b37841fb289aa221399bfcf3b45fb18ba3f8f24424732e86f1
Opcode Fuzzy Hash: 69fe6135a163bac38071e5037b9945b8b82368af5ff1a406cc59e59167008669
Instruction Fuzzy Hash: B7118EB12163109BEB20CF15DC4CFA67BFCEB00B00F108669E62AD6152D770E944DF90

Function 00C9B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B126

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: df25b6a31f77c47dc56574c3db8eddf731be18666602d2483071e43cb77474d9
Instruction ID: 1208956aa9af2cdcafc73c82a0c1c40beb81715f5f289ba78e008f5d6782ce98
Opcode Fuzzy Hash: df25b6a31f77c47dc56574c3db8eddf731be18666602d2483071e43cb77474d9
Instruction Fuzzy Hash: 30115B71C01A2CE7CF00AFE5EAACBEEBB78FF49711F114095D951B2181CB305A508B91

Function 00CC7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CC7E33
ScreenToClient.USER32(?,?), ref: 00CC7E4B
ScreenToClient.USER32(?,?), ref: 00CC7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CC7E8A

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 04cce1db3ea1b0fb58f06601649ad4dddd5234f9ab7df95e6eade4466c877d55
Instruction ID: 2d03299726cfe0aaf1d16d44def0655732224d2a548abf6ea935454206d9d8fc
Opcode Fuzzy Hash: 04cce1db3ea1b0fb58f06601649ad4dddd5234f9ab7df95e6eade4466c877d55
Instruction Fuzzy Hash: 9F1114B9D0024AAFDB41DF98C984AEEBBF5FF08310F505156E915E3210D735AA55CF50

Function 00C92DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C92DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C92DD6
GetCurrentThreadId.KERNEL32 ref: 00C92DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C92DE4

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 725f3748408bf7ef6fa271f1e4ee6969eda777afcc71d3dd894559b83075ab96
Instruction ID: ed0e519ce739e8319a1a86139f87005dac7e0ce0867b7482366e7c74c0bd9125
Opcode Fuzzy Hash: 725f3748408bf7ef6fa271f1e4ee6969eda777afcc71d3dd894559b83075ab96
Instruction Fuzzy Hash: 17E01272501224BBDB201B73DD8DFEF7E6CEF56BA5F450115F50AD10909AA5C941C6B0

Function 00CC8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C49693
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496A2
Part of subcall function 00C49639: BeginPath.GDI32(?), ref: 00C496B9
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CC8887
LineTo.GDI32(?,?,?), ref: 00CC8894
EndPath.GDI32(?), ref: 00CC88A4
StrokePath.GDI32(?), ref: 00CC88B2

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 39fc6902f88679c7e899c97ac86daac7880f416cecb8438bc4f3e64b52288ca8
Instruction ID: d21caaa4036f4b54312444ef5d140bc51d8a8ce1478e7ffef1af63480003b1c3
Opcode Fuzzy Hash: 39fc6902f88679c7e899c97ac86daac7880f416cecb8438bc4f3e64b52288ca8
Instruction Fuzzy Hash: 6AF05E36041258FADB125F94EC09FDE3F59AF06710F048004FA65655E1C7755611DFE5

Function 00C498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C498CC
SetTextColor.GDI32(?,?), ref: 00C498D6
SetBkMode.GDI32(?,00000001), ref: 00C498E9
GetStockObject.GDI32(00000005), ref: 00C498F1

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 95cd2c782d7569e09f337f745de2d6cd10758a0acea180ec9c6677fe69dce527
Instruction ID: 26d9d8f2bb20daa6e2612d922e01c39b8cba2f5a8dc0c21557d63a19b1d89f9a
Opcode Fuzzy Hash: 95cd2c782d7569e09f337f745de2d6cd10758a0acea180ec9c6677fe69dce527
Instruction Fuzzy Hash: A6E03931644280AADB215B75EC49BED3B20AB52336F188219F6BE980E1C37286409B10

Function 00C9162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C91634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C911D9), ref: 00C9163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C911D9), ref: 00C91648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C911D9), ref: 00C9164F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 65a54fc3f4ed23bd3e33fb43e4e4f566a032cade09bd17f2bab0c179fd5e9287
Instruction ID: 41aceaa9b3775fab5abb1196cfd9964758b70b3bbace6a278b9d42ec109ea27e
Opcode Fuzzy Hash: 65a54fc3f4ed23bd3e33fb43e4e4f566a032cade09bd17f2bab0c179fd5e9287
Instruction Fuzzy Hash: 99E08671A01211DBDB201FA0ED4DF8A3B7CFF44791F1C4808F659C9090D634C541C750

Function 00C8D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C8D858
GetDC.USER32(00000000), ref: 00C8D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C8D882
ReleaseDC.USER32(?), ref: 00C8D8A3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7c81b774073f072a492682d729cd9c25bf5ee51c2df7edd5cd709eb1cd0999a0
Instruction ID: 6886d425e40ad54f40b5abbd3eea32afe52202a541da1d3ee23ff84e0b350cde
Opcode Fuzzy Hash: 7c81b774073f072a492682d729cd9c25bf5ee51c2df7edd5cd709eb1cd0999a0
Instruction Fuzzy Hash: E6E0BFB5800205DFCF41AFA5D98CB6DBBB5FB08311F148459F85BE7250C7399942AF50

Function 00C8D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C8D86C
GetDC.USER32(00000000), ref: 00C8D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C8D882
ReleaseDC.USER32(?), ref: 00C8D8A3

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ebb2e1ea9bc7a8e0dadb15458329f2ed162a35c629c18b7d71de53152e7421f8
Instruction ID: b6e28d021bed072ee2a4a20b8031e96b4221a5833d7512a2307dcea63ad09873
Opcode Fuzzy Hash: ebb2e1ea9bc7a8e0dadb15458329f2ed162a35c629c18b7d71de53152e7421f8
Instruction Fuzzy Hash: 4DE0B6B5C00204EFCF51AFA5D98CB6DBBB5FB08311F148449F95AE7250CB399902AF50

Function 00CA4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00CA4ED4

Strings

*, xrefs: 00CA4E10
LPT, xrefs: 00CA4DFB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: cd4ac08f31b995d5aaab7a91dd3927edd834d829c87bbcfa97f47e2de91ecbdc
Instruction ID: dc6c6f2879f080911fe12c29f74736a496dd06d02ec01e9e1549b67d070b37d9
Opcode Fuzzy Hash: cd4ac08f31b995d5aaab7a91dd3927edd834d829c87bbcfa97f47e2de91ecbdc
Instruction Fuzzy Hash: BC917575900205DFCB18DF98C884EA9BBF1BF85308F158099E41A9F362D775EE85CB91

Function 00C5E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C5E30D

Strings

pow, xrefs: 00C5E2E5, 00C5E302

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a2cc0a43f281913c08e5a2c61bedc9da324ee767a74469c975d2ef48446ea737
Instruction ID: 83a3443747db9555ceabe7349bd99ae048eed82487fb44fe2fcde9c75792bc20
Opcode Fuzzy Hash: a2cc0a43f281913c08e5a2c61bedc9da324ee767a74469c975d2ef48446ea737
Instruction Fuzzy Hash: 72519E65A0C20196CB297714CD8137D3B949B10746F304E99E8F5822F9EB358FCD9A4A

Function 00C4E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C4E1B1

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 813ea88a7e898ad0d437a4de0d48a1fb364c9da9b602f6bfd76bf9a7ed80cd9e
Instruction ID: f6633faa6a17392ba16adfe8bc4c9f5ff9ecb5cab7c71d15b03146fd11e6b3ed
Opcode Fuzzy Hash: 813ea88a7e898ad0d437a4de0d48a1fb364c9da9b602f6bfd76bf9a7ed80cd9e
Instruction Fuzzy Hash: E8514475A04246DFDB24EF68C481ABE7BA4FF16314F248059ECA19B2C0D7349E42DBA4

Function 00C4F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C4F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C4F2BB

Strings

@, xrefs: 00C4F2AF

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 796343c14b22863f321a8ec6d2ff9ce2536451b728364fbaa508964531fc86e5
Instruction ID: 8baca83c2fcd67e6e6ddb4188e82f8e08b208dccb46520268a7e030a3a2163a8
Opcode Fuzzy Hash: 796343c14b22863f321a8ec6d2ff9ce2536451b728364fbaa508964531fc86e5
Instruction Fuzzy Hash: E25135724187489BD320AF54DC86BAFBBF8FB88300F81895DF1D9511A5EB708529CB67

Function 00CB5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00CB57E0
_wcslen.LIBCMT ref: 00CB57EC

Strings

CALLARGARRAY, xrefs: 00CB57E6, 00CB57EB

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 16dab74444c6410ef7d0cfbb0ca9d6f8d34aecca2aabbd9c01fa97d8330b3009
Instruction ID: e38856eff3498c1c172a58c0ffd5eff98e3c551c3c29afb26d744d10b4223b91
Opcode Fuzzy Hash: 16dab74444c6410ef7d0cfbb0ca9d6f8d34aecca2aabbd9c01fa97d8330b3009
Instruction Fuzzy Hash: 4F41BE71E402099FCF14DFA9C885AFEBBB5FF59324F144029E515A7291E7319E81CB90

Function 00CAD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CAD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CAD13A

Strings

|, xrefs: 00CAD10B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8297a45091f97f4128c155ae53eb5fb97f8a5b0779d7c7e13b192904535ab4bc
Instruction ID: bb7a821fad97a03bb62f5fd3bf769d023b6f3853e634362278d645a83ac15c9e
Opcode Fuzzy Hash: 8297a45091f97f4128c155ae53eb5fb97f8a5b0779d7c7e13b192904535ab4bc
Instruction Fuzzy Hash: A5315D71D10209ABCF15EFA5CC85AEEBFB9FF09314F004019F916A6161D735AA46DF50

Function 00CC356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CC3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CC365C

Strings

static, xrefs: 00CC35BC

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 51a525c70c2ca39d6cd0447d2bf953e969553493ce04ef945938c72fe64402a6
Instruction ID: 8ae7b7ced2bf437cb9407cea8e8f59a5e19c7328adaeaa6625b2187f2040a29f
Opcode Fuzzy Hash: 51a525c70c2ca39d6cd0447d2bf953e969553493ce04ef945938c72fe64402a6
Instruction Fuzzy Hash: 71318B71110244AADB10DF68DC81FFB73A9FF88720F10961DF9A997290DA31AE81DB64

Function 00CC4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CC461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC4634

Strings

', xrefs: 00CC458E

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: a9527d28e96873a9051226c3edce3588a07bf0477deabd02e311d8d39a7b3979
Instruction ID: c97a6520ad11441923009acc73ed3caf68827c5b8ab0c6f13ff54059c6fc3109
Opcode Fuzzy Hash: a9527d28e96873a9051226c3edce3588a07bf0477deabd02e311d8d39a7b3979
Instruction Fuzzy Hash: F1311974A013099FDB18CF69C990FDA7BB5FF49300F14806AE915AB355D770A941CF90

Function 00CC31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CC327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC3287

Strings

Combobox, xrefs: 00CC3249

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9cd29d2b6ce7b6d24dad316003ee0d43b081c6894e4556de18f8e7db0134ad9a
Instruction ID: 4d4199173554edb6db60fd6ddada85022e242dbb1fc6a6b58e63a303b5630426
Opcode Fuzzy Hash: 9cd29d2b6ce7b6d24dad316003ee0d43b081c6894e4556de18f8e7db0134ad9a
Instruction Fuzzy Hash: 6311B2713002487FEF259F54EC81FBB376AEB94364F108129F92897292D6719E519760

Function 00CC3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C3604C
Part of subcall function 00C3600E: GetStockObject.GDI32(00000011), ref: 00C36060
Part of subcall function 00C3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C3606A

GetWindowRect.USER32(00000000,?), ref: 00CC377A
GetSysColor.USER32(00000012), ref: 00CC3794

Strings

static, xrefs: 00CC3757

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5209a3e7aec421c0123befcd078facb4beced625f1661a2c33b10f52de3d27a6
Instruction ID: 0d27198dbd48e86b7c48a907f673df6fe31210481ed9a2445a08285038a9abf3
Opcode Fuzzy Hash: 5209a3e7aec421c0123befcd078facb4beced625f1661a2c33b10f52de3d27a6
Instruction Fuzzy Hash: 1F1129B2610209AFDB01DFA8DD4AFEE7BB8EB08314F004518F965E2250D735E9519B60

Function 00CACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CACDA6

Strings

<local>, xrefs: 00CACD66

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 33231eb21645471f9f73e307760adecc7bc92061a3082867b51d4bc50bd56d71
Instruction ID: c4d0354118e98ba0c5fe02aeed72135b9d26eefcbf01a310bbcc5108a41b406b
Opcode Fuzzy Hash: 33231eb21645471f9f73e307760adecc7bc92061a3082867b51d4bc50bd56d71
Instruction Fuzzy Hash: E211A371A056367AD7244B668CC9FE7BE68EB137A8F004226F12982180D7609950D6F0

Function 00CC3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CC34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CC34BA

Strings

edit, xrefs: 00CC348F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 11986289e7f5c0970f88111b226d58da578ee080003a00e52c631caf1b809c60
Instruction ID: 727fc1e320b2a0d17a6d67d9d458a16208f12f5ec42c5e5c79c6052ff044d39a
Opcode Fuzzy Hash: 11986289e7f5c0970f88111b226d58da578ee080003a00e52c631caf1b809c60
Instruction Fuzzy Hash: 4A118F71100248ABEB169F64EC84FEB3B6AEB05374F508728F975971D0C771DE919B60

Function 00C96C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

CharUpperBuffW.USER32(?,?,?), ref: 00C96CB6
_wcslen.LIBCMT ref: 00C96CC2

Strings

STOP, xrefs: 00C96CBC, 00C96CC1

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 930fbe9ec4f26fdb6e1c171431063dd129bf0f6a28c714b84d7f3ea5c38db9ca
Instruction ID: 06217d16fd5b8704edba60e89b581106e6ba67950b0bbe5e46ae28727ed1d597
Opcode Fuzzy Hash: 930fbe9ec4f26fdb6e1c171431063dd129bf0f6a28c714b84d7f3ea5c38db9ca
Instruction Fuzzy Hash: 4601C033A145268ACF21AFFDDC899BF77B5EB61710B110528F8B2961D0EA31EA50C650

Function 00C91CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C91D4C

Strings

ComboBox, xrefs: 00C91CEB
ListBox, xrefs: 00C91D16

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0827bbadd2d3d51ab3a1e799b52dfb41447ea75ff6f89f7ab70904dfb4d02114
Instruction ID: 9d70982ab0c8ae4792f1a5284105179b997c6d918211722784ca269448775ef5
Opcode Fuzzy Hash: 0827bbadd2d3d51ab3a1e799b52dfb41447ea75ff6f89f7ab70904dfb4d02114
Instruction Fuzzy Hash: 2101D872611219AB8F09EBA4CD5ADFE7768EF47390F040619FD32572C1EA705908D661

Function 00C91BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C91C46

Strings

ComboBox, xrefs: 00C91BE5
ListBox, xrefs: 00C91C10

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9b1e244c76a59813b38b2ad3d3b10531d8cda3e43b9ae890383dbe36f17483a1
Instruction ID: 8b9e8d37f4407eafb66cbd651d73ee695b015edffefac8cd52856119fe1ad67f
Opcode Fuzzy Hash: 9b1e244c76a59813b38b2ad3d3b10531d8cda3e43b9ae890383dbe36f17483a1
Instruction Fuzzy Hash: 1B01A77578510967CF05EB90CA5AEFF77A8DF52340F140019F916672C1EA709F08D6B2

Function 00C91C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C91CC8

Strings

ComboBox, xrefs: 00C91C69
ListBox, xrefs: 00C91C94

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bb86ff9d76aa6efdf6e277e755a6086ae3d324171497db553e5474a4bbfa6b4c
Instruction ID: 0d6902df4e528881dc9483aa7b3b7e4f586b4d79e0b8d7da774d89888502cad6
Opcode Fuzzy Hash: bb86ff9d76aa6efdf6e277e755a6086ae3d324171497db553e5474a4bbfa6b4c
Instruction Fuzzy Hash: 7A01D67579011967CF04EBA4CA0AEFE77A89B12380F580015BD02B3281EAB09F08D672

Function 00C91D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C91DD3

Strings

ComboBox, xrefs: 00C91D75
ListBox, xrefs: 00C91DA0

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea64ff8c8af6abbd1b266f7ec87dd40718fdb82399f64573defdb52b082e725f
Instruction ID: fd20075754dfc7b45027f29b0abac559cf082906986651939693699d5fb7d696
Opcode Fuzzy Hash: ea64ff8c8af6abbd1b266f7ec87dd40718fdb82399f64573defdb52b082e725f
Instruction Fuzzy Hash: 0AF0A476B5121967DF05E7A4CD5AFFE77A8EB02350F080915F922A72C1DAB05A089261

Function 00CB747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CB7493
_wcslen.LIBCMT ref: 00CB74B9

Strings

3, 3, 16, 1, xrefs: 00CB7483

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 289a786c04611e3ab0c6c6eb9a23d83eb40fd3c13aea68d22e18bd6390f0b6e8
Instruction ID: f8dd9f2dd81fb0910451d5155542169ba444234cc197804d3aa7c80e3ea73a21
Opcode Fuzzy Hash: 289a786c04611e3ab0c6c6eb9a23d83eb40fd3c13aea68d22e18bd6390f0b6e8
Instruction Fuzzy Hash: DBE0610670432020933513B9DCC29FF568DCFC5753B10192BFD81C2366EA94CED1A7A5

Function 00C90B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C90B23

Strings

AutoIt, xrefs: 00C90B17
Error allocating memory., xrefs: 00C90B1C

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: be0d82cf271fa5dbad4854c88e554be1239e324511b4f3e620e6f279466e6fc6
Instruction ID: 48adef3ea633ceacf4463cc5cedfffa08c928ddec06a1046fbd0741f52ea67bd
Opcode Fuzzy Hash: be0d82cf271fa5dbad4854c88e554be1239e324511b4f3e620e6f279466e6fc6
Instruction Fuzzy Hash: B4E048312443183AD6143654BC47FC97A849F05B65F10442EFB9C555C38AE1659166A9

Function 00C50D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C4F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C50D71,?,?,?,00C3100A), ref: 00C4F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C3100A), ref: 00C50D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C3100A), ref: 00C50D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C50D7F

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a626ed8fafa09803db168bff00ba9724c61dcae43eb9e9f724e04cd5829f4bae
Instruction ID: fdc82468553106bbffa2193e900c540b3de718a9d188fe083c05f4a606972a99
Opcode Fuzzy Hash: a626ed8fafa09803db168bff00ba9724c61dcae43eb9e9f724e04cd5829f4bae
Instruction Fuzzy Hash: A6E092B82007518BD7309FB8D448B467BF0BF00741F104D2DE886C6751DBB4E4898BA1

Function 00CA3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00CA302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00CA3044

Strings

aut, xrefs: 00CA3038

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1e8031acbccf62976e670a5e2a60cf724f766262166d1cf056e0df2830151bcf
Instruction ID: 57ecc98b5811609669061f54329cf26f1a1f17a308480ce1fb1652b19e149dd2
Opcode Fuzzy Hash: 1e8031acbccf62976e670a5e2a60cf724f766262166d1cf056e0df2830151bcf
Instruction Fuzzy Hash: AAD05EB250032867DA60E7A4EC4EFDB3A6CDB04750F0002A1F659E2491DAB49984CAD0

Function 00C8D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C8D220

Strings

X64, xrefs: 00C8D2A8
%.3d, xrefs: 00C8D22B

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 49c2eee6224dcabcf1c0e0bc1861364c24c23d0797bfcacf38d985eaf0e666f1
Instruction ID: cd3ec0e8accc84fab0d236d73bb7a36789c11a6a1cce3282316132f7d3e243b6
Opcode Fuzzy Hash: 49c2eee6224dcabcf1c0e0bc1861364c24c23d0797bfcacf38d985eaf0e666f1
Instruction Fuzzy Hash: D7D012A1808108FACB90B7D1DC89DBAB37CFB09305F508462F90792080D624D9086765

Function 00CC2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC236C
PostMessageW.USER32(00000000), ref: 00CC2373

Part of subcall function 00C9E97B: Sleep.KERNEL32 ref: 00C9E9F3

Strings

Shell_TrayWnd, xrefs: 00CC2365

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4d5dfa435921d57d7f9264e25562a82b189206c30744ace0f99b038a1f4e3ebb
Instruction ID: 45a351328e20112652abdf7d8a2297a07cf78b10b3b6b41063accd19ef6d8d02
Opcode Fuzzy Hash: 4d5dfa435921d57d7f9264e25562a82b189206c30744ace0f99b038a1f4e3ebb
Instruction Fuzzy Hash: 6CD0C9327853107AE6A4B771EC4FFCA66149B14B14F114916F74AEA1D0C9A4A8418A54

Function 00CC2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CC233F

Part of subcall function 00C9E97B: Sleep.KERNEL32 ref: 00C9E9F3

Strings

Shell_TrayWnd, xrefs: 00CC2325

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 00c20797912cb28673a8b2dedabaa8f49d653f2546c1762ec375190b8ba01f0c
Instruction ID: 0b87c47c630664828fd1f9fe8b80273907d9324b78b7d24bbe3f5acb8649f41d
Opcode Fuzzy Hash: 00c20797912cb28673a8b2dedabaa8f49d653f2546c1762ec375190b8ba01f0c
Instruction Fuzzy Hash: 19D01236794310B7E6A4B771EC4FFDA7A149B10B14F114916F74AEA1D0C9F4A841CB54

Function 00C6BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C6BE93
GetLastError.KERNEL32 ref: 00C6BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C6BEFC

Memory Dump Source

Source File: 00000000.00000002.1806973137.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.1806935984.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807063840.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807137720.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807172466.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e5e91b8650300bcc1c62ec7d730714e958fb8c0e7fc5d349899bb134e0298a7e
Instruction ID: 3bf3638671d07866aaa34f7a8239c3ca7ed457e14c278b6a74b7b63689f4eb81
Opcode Fuzzy Hash: e5e91b8650300bcc1c62ec7d730714e958fb8c0e7fc5d349899bb134e0298a7e
Instruction Fuzzy Hash: F341E339604206AFCB318FA5CCC4BAA7BA5AF41310F144169F969D71B1DB318E82DB62

Analysis Process: firefox.exePID: 7508, Parent PID: 7048COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001DA3076B037 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001DA3076B05C

Memory Dump Source

Source File: 00000010.00000002.2996296412.000001DA30768000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001DA30768000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1da30768000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 6076578cad23c91f68028a298ea2fae562fd59d78b4701c1c6df98c1d1869306
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 19A3E531A24A5D8BDB6DDF28DC857E973E5FB95300F44422ED94BC3251DF30EA428A86

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.2005758171.0000019F70D56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942806736.0000019F70D20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1853799187.0000019F76938000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2004634149.0000019F70D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972994485.0000019F6F0AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2013370455.0000019F6F1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1949837893.0000019F7A612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959591479.0000019F7A62D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2013370455.0000019F6F1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001968415.0000019F6F246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1949837893.0000019F7A612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959591479.0000019F7A62D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1995417269.0000019F6FC44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981095300.0000019F70083000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991671688.0000019F70083000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2011504849.0000019F70083000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1981095300.0000019F70083000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991671688.0000019F70083000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2011504849.0000019F70083000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1981095300.0000019F70083000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991671688.0000019F70083000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2011504849.0000019F70083000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2991523446.000001DA3060A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/`F equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2991523446.000001DA3060A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/`F equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2991523446.000001DA3060A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/`F equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2004634149.0000019F70D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972994485.0000019F6F0AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1985480942.0000019F7C4A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2013370455.0000019F6F1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001968415.0000019F6F246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1985480942.0000019F7C4A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1960426623.0000019F76AD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1940859856.0000019F76ACC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:62519 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62525 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62526 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:62528 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:62529 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:62530 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:62533 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:62535 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:62534 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:62536 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62597 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62598 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62599 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62603 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62604 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62605 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62606 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 62521 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62538 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62519 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62605 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62530 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62518
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62519
Source: unknown	Network traffic detected: HTTP traffic on port 62528 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62524 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62597
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62598
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62599
Source: unknown	Network traffic detected: HTTP traffic on port 62599 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62604 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62524
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62525
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62526
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62603
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62527
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62604
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62528
Source: unknown	Network traffic detected: HTTP traffic on port 62533 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62605
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62529
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62606
Source: unknown	Network traffic detected: HTTP traffic on port 62527 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62523 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62520
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62521
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62566
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62523
Source: unknown	Network traffic detected: HTTP traffic on port 62603 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62535
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62536
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62538
Source: unknown	Network traffic detected: HTTP traffic on port 62532 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62526 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62536 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62597 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62530
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62531
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62532
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62533
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62534
Source: unknown	Network traffic detected: HTTP traffic on port 62566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 62520 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62518 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62529 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62531 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62525 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62535 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 62598 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 62726 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1a8fe094-ef80-4de2-9d30-5f01a2cf35e5.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1a8fe094-ef80-4de2-9d30-5f01a2cf35e5.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre