Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542003
MD5:	9ce735e919479f12bad2322143e7f8fd
SHA1:	6e5ea899730617f90e6e0d74ad4b9f0605b2504a
SHA256:	8ad73c4ef11a15fcb55583e26925774e9c5d1a84b9d1a1349c27575c28cf18f6
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9CE735E919479F12BAD2322143E7F8FD)

taskkill.exe (PID: 7496 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7592 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7648 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7704 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7768 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7828 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7872 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7888 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8124 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9360d544-258c-40b5-a705-da6290788a6c} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149c916d910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7816 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -parentBuildID 20230927232528 -prefsHandle 4052 -prefMapHandle 3756 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4731ba06-e2a7-4d6f-bfe3-821b0451661e} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149d8f2ff10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 908 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3476 -prefMapHandle 5344 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82f3dcb-940f-40be-aa64-48f297a6d19a} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149dafc0d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7480	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0028EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0028EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0028ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0028ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0028EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0027AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_002A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1794176911.00000000002D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_debbd166-6
Source: file.exe, 00000000.00000000.1794176911.00000000002D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d2220a51-1
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_933626ea-9
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_72bf50fc-4

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000225F3E98237 NtQuerySystemInformation,		16_2_00000225F3E98237
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000225F3EBA972 NtQuerySystemInformation,		16_2_00000225F3EBA972

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0027D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00271201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00271201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0027E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021BF40	0_2_0021BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00218060	0_2_00218060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00282046	0_2_00282046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00278298	0_2_00278298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024E4FF	0_2_0024E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024676B	0_2_0024676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A4873	0_2_002A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023CAA0	0_2_0023CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021CAF0	0_2_0021CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022CC39	0_2_0022CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00246DD9	0_2_00246DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022B119	0_2_0022B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002191C0	0_2_002191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00231394	0_2_00231394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00231706	0_2_00231706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023781B	0_2_0023781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00217920	0_2_00217920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022997D	0_2_0022997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002319B0	0_2_002319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00237A4A	0_2_00237A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00231C77	0_2_00231C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00237CA7	0_2_00237CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029BE44	0_2_0029BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00249EEE	0_2_00249EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00231F32	0_2_00231F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000225F3E98237	16_2_00000225F3E98237
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000225F3EBA972	16_2_00000225F3EBA972
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000225F3EBA9B2	16_2_00000225F3EBA9B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000225F3EBB09C	16_2_00000225F3EBB09C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0022F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00230A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/38@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002837B5 GetLastError,FormatMessageW,

0_2_002837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002710BF AdjustTokenPrivileges,CloseHandle,		0_2_002710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0027D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0028648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0028648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9360d544-258c-40b5-a705-da6290788a6c} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149c916d910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -parentBuildID 20230927232528 -prefsHandle 4052 -prefMapHandle 3756 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4731ba06-e2a7-4d6f-bfe3-821b0451661e} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149d8f2ff10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3476 -prefMapHandle 5344 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82f3dcb-940f-40be-aa64-48f297a6d19a} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149dafc0d10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9360d544-258c-40b5-a705-da6290788a6c} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149c916d910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -parentBuildID 20230927232528 -prefsHandle 4052 -prefMapHandle 3756 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4731ba06-e2a7-4d6f-bfe3-821b0451661e} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149d8f2ff10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3476 -prefMapHandle 5344 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82f3dcb-940f-40be-aa64-48f297a6d19a} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149dafc0d10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.2018432845.00000149E7101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.2022137629.00000149D87BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.2017404862.00000149D87BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.2020971399.00000149D87BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.2022137629.00000149D87BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.2017404862.00000149D87BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.2018432845.00000149E7101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.2020971399.00000149D87BD000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002142DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00230A76 push ecx; ret

0_2_00230A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0022F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_002A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94620

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_00000225F3E98237 rdtsc

16_2_00000225F3E98237

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0027DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002868EE FindFirstFileW,FindClose,	0_2_002868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0028698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0028698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0027D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0027D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00289642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00289642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0028979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0028979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00289B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00289B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00285C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00285C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002142DE

Source: firefox.exe, 00000013.00000002.3067361782.000001D27ED00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: firefox.exe, 00000013.00000002.3060879985.000001D27E81A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0C
Source: firefox.exe, 0000000F.00000002.3068919066.000002054D548000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3060835875.000002054CBAA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3059630859.00000225F35CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3067323647.00000225F3F40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3067630160.000002054D11F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3060835875.000002054CBAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS#:Q
Source: firefox.exe, 0000000F.00000002.3068919066.000002054D548000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: firefox.exe, 0000000F.00000002.3068919066.000002054D548000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3067323647.00000225F3F40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_00000225F3E98237 rdtsc

16_2_00000225F3E98237

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0028EAA2 BlockInput,

0_2_0028EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00242622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00242622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00234CE8 mov eax, dword ptr fs:[00000030h]

0_2_00234CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00270B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00270B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00242622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00242622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0023083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002309D5 SetUnhandledExceptionFilter,	0_2_002309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00230C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00230C21

Source: C:\Users\user\Desktop\file.exe

0_2_00271201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00252BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00252BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027B226 SendInput,keybd_event,

0_2_0027B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00270B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00271663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00271663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.2006573991.00000149E7101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00230698 cpuid

0_2_00230698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00288195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00288195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026D27A GetUserNameW,

0_2_0026D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0024BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0024BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7480, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7480, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00291204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00291204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00291806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00291806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://support.mozilla.org/	0%	URL Reputation	safe
https://poczta.interia.pl/mh/?mailto=%s	0%	URL Reputation	safe
https://watch.sling.com/	0%	URL Reputation	safe
https://getpocket.com/firefox/new_tab_learn_more/	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.193	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.1.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	172.217.18.14	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.16.206	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.129.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000013.00000002.3062621728.000001D27ECC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.2045646749.00000149DA9C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3063481613.000002054CFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3061930155.00000225F39E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3067631731.000001D27EE04000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1995837187.00000149E14A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970025564.00000149E14A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3061930155.00000225F3986000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3062621728.000001D27EC8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1906340237.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028065020.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2050789757.00000149E3451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887333323.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897237648.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000949564.00000149E3450000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1987855356.00000149E28AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1845897985.00000149D8A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846052663.00000149D8C1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846406906.00000149D8C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846215662.00000149D8C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846631729.00000149D8C77000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1998396556.00000149E67EA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.2002254022.00000149E26F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.2044513877.00000149DAB7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845897985.00000149D8A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846052663.00000149D8C1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846406906.00000149D8C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914258993.00000149E249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975981177.00000149E249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846215662.00000149D8C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1967761856.00000149E249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846631729.00000149D8C77000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.2036171006.00000149DC378000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988441132.00000149DC378000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1845897985.00000149D8A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846052663.00000149D8C1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846406906.00000149D8C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846215662.00000149D8C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846631729.00000149D8C77000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.2049445835.00000149E5948000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3063481613.000002054CFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3061930155.00000225F39E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3067631731.000001D27EE04000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1954632531.00000149E25EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913612475.00000149E25FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949721318.00000149E25FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915243048.00000149E25FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915752192.00000149E25F4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1987855356.00000149E28AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3063481613.000002054CFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3061930155.00000225F39E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3067631731.000001D27EE04000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000013.00000002.3062621728.000001D27EC0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1954725508.00000149D986C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954578432.00000149D985A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.2028065020.00000149E34EB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1906340237.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028065020.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2050789757.00000149E3451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887333323.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897237648.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000949564.00000149E3450000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000013.00000002.3062621728.000001D27ECC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1908639863.00000149E288B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907865347.00000149E288B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988326025.00000149DCD8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2036050784.00000149DCD8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1954578432.00000149D985A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.2025709033.00000149DAD1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1983888702.00000149DAD0E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1998396556.00000149E67EA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.2045225209.00000149DAA6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2029353541.00000149E2FDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1987597171.00000149E2FBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3061930155.00000225F3912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3062621728.000001D27EC13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1906340237.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028065020.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2050789757.00000149E3451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887333323.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897237648.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000949564.00000149E3450000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.2004423543.00000149DAFEF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 0000000F.00000002.3063481613.000002054CF72000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.2021997681.00000149DADBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2016764819.00000149D8C04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2038854447.00000149DB85E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1984701560.00000149E6A88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988210630.00000149DCDB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995837187.00000149E14F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1983458383.00000149DAD61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1952622501.00000149E6A5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980294640.00000149E6A79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003204269.00000149E1583000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957875802.00000149D91B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954632531.00000149E25DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2025709033.00000149DAD1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1984299799.00000149DACB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2016764819.00000149D8C3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2034361850.00000149E5997000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2016764819.00000149D8C07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916156303.00000149E6A83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1983774092.00000149DAD23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2025415125.00000149D9192000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953829799.00000149E6A88000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.2036171006.00000149DC378000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988441132.00000149DC378000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.2031254917.00000149DB8BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2037558215.00000149DB8BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2036171006.00000149DC378000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988441132.00000149DC378000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990172160.00000149DB8BE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.2001890378.00000149E28C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887738504.00000149E28E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908639863.00000149E2893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907865347.00000149E28BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1987855356.00000149E28AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.2001890378.00000149E28C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887738504.00000149E28E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908639863.00000149E2893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907865347.00000149E28BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1987855356.00000149E28AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1995837187.00000149E14A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970025564.00000149E14A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1907865347.00000149E2893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2029886482.00000149E2897000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908639863.00000149E2893000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1897237648.00000149E3459000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1960010960.00000149D722F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2018256632.00000149D7212000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848780121.00000149D7233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2019808094.00000149D7234000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848662666.00000149D721F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848247577.00000149D7233000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1995559282.00000149DAED1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.2053154777.00000149DC38C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2036171006.00000149DC37E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988441132.00000149DC37E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1952622501.00000149E6A5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954725508.00000149D986C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954578432.00000149D985A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1960010960.00000149D722F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2018256632.00000149D7212000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848780121.00000149D7233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2019808094.00000149D7234000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848662666.00000149D721F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848247577.00000149D7233000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3063481613.000002054CFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3061930155.00000225F39E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3067631731.000001D27EE04000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.2030200658.00000149E1522000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1906340237.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028065020.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2050789757.00000149E3451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887333323.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897237648.00000149E3450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000949564.00000149E3450000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.2033987824.00000149E6850000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1846631729.00000149D8C77000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.2004423543.00000149DAFEF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1987855356.00000149E28AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3062887550.000002054CD90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3061031077.00000225F3790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3061263220.000001D27E920000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.2050948209.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897237648.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028065020.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000949564.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887333323.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906340237.00000149E3443000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1987855356.00000149E28AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.2050948209.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897237648.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028065020.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000949564.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887333323.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906340237.00000149E3443000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1954725508.00000149D986C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954578432.00000149D985A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/	firefox.exe, 0000000D.00000003.2004423543.00000149DAFE4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1960010960.00000149D722F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2018256632.00000149D7212000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848780121.00000149D7233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2019808094.00000149D7234000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848662666.00000149D721F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848247577.00000149D7233000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000D.00000003.2000949564.00000149E3435000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://watch.sling.com/	firefox.exe, 0000000D.00000003.2054375409.00000149DAAA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2044998719.00000149DAAA2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://getpocket.com/firefox/new_tab_learn_more/	firefox.exe, 0000000D.00000003.2002351158.00000149E1677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2051896025.00000149E168D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	firefox.exe, 0000000F.00000002.3063481613.000002054CFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3061930155.00000225F39E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3067631731.000001D27EE04000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://github.com/google/closure-compiler/issues/3177	firefox.exe, 0000000D.00000003.1995837187.00000149E14A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970025564.00000149E14A8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/complete/	firefox.exe, 0000000D.00000003.2030200658.00000149E1516000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.18.14	youtube.com	United States	15169	GOOGLEUS	false
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542003
Start date and time:	2024-10-25 12:32:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/38@67/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.231.229.39, 52.13.186.250, 34.208.54.237, 2.22.61.56, 2.22.61.59, 216.58.206.46, 142.250.185.206, 142.250.74.202, 142.250.185.138
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7888 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
06:33:27	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.201.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://ljptn9jl729v.jp.larksuite.com/share/base/form/shrjpAd28kd9HXI7TjO1wFqS7Pf	Get hash	malicious	Unknown	Browse	151.101.65.195
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	ES Ny kontraktsrunda.msg	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fonedrive.live.com%2Fredir%3Fresid%3DA2C259BD24DEB977%25211517%26authkey%3D%2521AMV6sdjMIZf95vs%26page%3DView%26wd%3Dtarget%2528Quick%2520Notes.one%257C8266a05f-045a-4cc0-bddc-4debc90069bb%252FNotera%2520H6TYD9J4rDFDFECZC-HUYW%257Ca949d04d-b4e2-4509-b99f-d04546199b7b%252F%2529%26wdorigin%3DNavigationUrl&id=71de&rcpt=johan.brandt@skolverket.se&tss=1729830791&msgid=2d0ccdeb-928a-11ef-8a2e-0050569b0508&html=1&h=008c08c0	Get hash	malicious	Unknown	Browse	151.101.130.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://temp.farenheit.net/XL1VkZE1FVGZjL0VwUUt5cWc4dkk1SWpqVFFTMUtQZ0krRFhobktOS05RSWpVMTZIYzk3b3hOUTBoZ2VYdnAzM21wZnYwMVBmdGN0MW12M09qVmMzbnNVeVpkeXBxeHVGd2V4eDRvVlZ5dERsakpjbGV3ZVZxRVhlZ0F6Q3hwQlptYUUyRFhHRzY3YkRXQ3hjWmhBZDBpMkNpakJDSnhzUG9xa2k2ZkdacVpDZVhFVFppeUJLcHJIaC0teVVJeERBTFd0K3k3b01rYS0tRk9zSWNIVEd0blVHZVlhTlFnVUxldz09?cid=2242420613	Get hash	malicious	Unknown	Browse	199.232.196.193
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	152.159.125.152
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	192.56.124.49
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.98.58.36
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	32.33.89.27
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	57.210.224.248
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	57.44.188.63
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	57.35.137.60
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	51.102.114.56
	https://ljptn9jl729v.jp.larksuite.com/share/base/form/shrjpAd28kd9HXI7TjO1wFqS7Pf	Get hash	malicious	Unknown	Browse	34.160.69.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	152.159.125.152
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	192.56.124.49
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.98.58.36
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	32.33.89.27
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	57.210.224.248
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	57.44.188.63
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	57.35.137.60
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	51.102.114.56
	https://ljptn9jl729v.jp.larksuite.com/share/base/form/shrjpAd28kd9HXI7TjO1wFqS7Pf	Get hash	malicious	Unknown	Browse	34.160.69.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d2095acc-b576-490f-be2a-e88ee9820c13.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.178172129468123
Encrypted:	false
SSDEEP:	192:jjMX2n2T2kcbhbVbTbfbRbObtbyEl7nYrpJA6WnSrDtTUd/SkDrR:jYFcNhnzFSJ4rEBnSrDhUd/z
MD5:	B12B48EE1F908299345451347706DF8F
SHA1:	8A344DA2F1592D51F6D86C25E9E5890304F9A4E1
SHA-256:	72B6A52D40572D29FDB47217CED16BB84E6CE12660DC5309BB8345368DF0BA31
SHA-512:	0826D7E1FA166D67AAE3727C10D0A8FB71F0A45BE49C72E4D5631094AC4E0A39D5D04C7235F33BF12F3D06118D969068C8BCAA614800819805B9318226C59D46
Malicious:	false
Preview:	{"type":"uninstall","id":"d2095acc-b576-490f-be2a-e88ee9820c13","creationDate":"2024-10-25T12:29:07.471Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d2095acc-b576-490f-be2a-e88ee9820c13.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.178172129468123
Encrypted:	false
SSDEEP:	192:jjMX2n2T2kcbhbVbTbfbRbObtbyEl7nYrpJA6WnSrDtTUd/SkDrR:jYFcNhnzFSJ4rEBnSrDhUd/z
MD5:	B12B48EE1F908299345451347706DF8F
SHA1:	8A344DA2F1592D51F6D86C25E9E5890304F9A4E1
SHA-256:	72B6A52D40572D29FDB47217CED16BB84E6CE12660DC5309BB8345368DF0BA31
SHA-512:	0826D7E1FA166D67AAE3727C10D0A8FB71F0A45BE49C72E4D5631094AC4E0A39D5D04C7235F33BF12F3D06118D969068C8BCAA614800819805B9318226C59D46
Malicious:	false
Preview:	{"type":"uninstall","id":"d2095acc-b576-490f-be2a-e88ee9820c13","creationDate":"2024-10-25T12:29:07.471Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927858619556599
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL6Ng8P:8S+OBIUjOdwiOdYVjjwLYg8P
MD5:	82CC899C22DD114054D241971C6C15E8
SHA1:	50AF5ABFF4E3826FA25BBF96259725DD869A66A2
SHA-256:	899E7E6EA50A080ED50A8E7DCFB0010EF1BD091456021041815BCFD062009B78
SHA-512:	D4A96B6E01D9CE769CA62033C9D6045B5B90A405E82DCB13A6009BB8C810351EEE056D6B1E1E497EB2EAA6458215E0FC6B64565E771B99990DD90E5CE9AD9153
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927858619556599
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL6Ng8P:8S+OBIUjOdwiOdYVjjwLYg8P
MD5:	82CC899C22DD114054D241971C6C15E8
SHA1:	50AF5ABFF4E3826FA25BBF96259725DD869A66A2
SHA-256:	899E7E6EA50A080ED50A8E7DCFB0010EF1BD091456021041815BCFD062009B78
SHA-512:	D4A96B6E01D9CE769CA62033C9D6045B5B90A405E82DCB13A6009BB8C810351EEE056D6B1E1E497EB2EAA6458215E0FC6B64565E771B99990DD90E5CE9AD9153
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07335892763187632
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiy0:DLhesh7Owd4+jiy0
MD5:	4B254467BE7E5F161EE1C79F240C4195
SHA1:	1B40AAF86C49C65FA3A7E4BCDC450A5E01BD24E0
SHA-256:	AD0DD273EA063B6F37B2666E274D80ED55B6297BBD569483F84D9C7C9A451141
SHA-512:	9993573A1591815CC401C36874135F5FE1065AEECEADD32C9B2F9E811F04A2D9EBC4350EC420CFC91FD11E2AC3CF7BDA1D6C6105F461DBB4B55D0FFD8B34F22D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03524158659893507
Encrypted:	false
SSDEEP:	3:GtlstFe72Ui0Jol/tlstFe72Ui0R/x89//alEl:GtWtcyU9GttWtcyU9P89XuM
MD5:	04F38423C5050B994E7096EAE4FA400F
SHA1:	8CCD6CE84E0B96CB539F3986158B44382C9967A3
SHA-256:	1FF648A95C4C4C0AFD0A8251C40165D13D970E92ABFD152904860A3F83B401C6
SHA-512:	85E6FA1C64A0AE5AA0AF6ABF5B8570B61B2A2E7052A0028B1CEBF610C6DFF73CA3F4BCECFDD53D445DCD566743EB09A2505893973847725D3AE83CEB48557FA8
Malicious:	false
Preview:	..-......................b.....1.r...(..V.._.{...-......................b.....1.r...(..V.._.{.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03962444818213953
Encrypted:	false
SSDEEP:	3:Ol15XxMaGpIMnpJM3qa7l8rEXsxdwhml8XW3R2:K/xMpbJMawl8dMhm93w
MD5:	3038CC9F600E598F6103B5325345D56B
SHA1:	A1D047EC1C0315E981F60199179091F01923F502
SHA-256:	B284835AA108FE91024BE5F3AA468568F0E1E2E29D9433A86E84AC97E403C9C0
SHA-512:	56F2C9AF5CEB8A11F538B197CCB617F29018BF078CC10F9AC45FD0A02C7DEF5299896C1D0C3D0924B4C81C31C7C3C7D6B836209FA9BD8F1174438BAE5E871BD4
Malicious:	false
Preview:	7....-...........r...(..9.....>.........r...(..b.1...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495488019752135
Encrypted:	false
SSDEEP:	192:DnaRtLYbBp6Vhj4qyaaXp6K/9N4z5RfGNBw8dwSl:menqDcXicwD0
MD5:	77A6235B403605619838EE6E1142B467
SHA1:	419B38F6BA9FFFCB25C05C3F63CA9C193EABE690
SHA-256:	F5932622993CE6D7CD2EF0D76FC908A2AD79B89FF7FB334ADE06666434B744AE
SHA-512:	22C75B1FB2899C416DC473772D183B9CDA8B534F335E32B61E60F8C2851BE50BC806973C2489CEEB76FCB78102147BD405DB0420912292980E1BE8DBA8998BE8
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729859317);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729859317);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729859317);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172985

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495488019752135
Encrypted:	false
SSDEEP:	192:DnaRtLYbBp6Vhj4qyaaXp6K/9N4z5RfGNBw8dwSl:menqDcXicwD0
MD5:	77A6235B403605619838EE6E1142B467
SHA1:	419B38F6BA9FFFCB25C05C3F63CA9C193EABE690
SHA-256:	F5932622993CE6D7CD2EF0D76FC908A2AD79B89FF7FB334ADE06666434B744AE
SHA-512:	22C75B1FB2899C416DC473772D183B9CDA8B534F335E32B61E60F8C2851BE50BC806973C2489CEEB76FCB78102147BD405DB0420912292980E1BE8DBA8998BE8
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729859317);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729859317);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729859317);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172985

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\e90a4853-d3f2-4de9-8f20-71f9d94802fe (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.95952988918183
Encrypted:	false
SSDEEP:	12:YZFgoYR86jJIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:Yp+JSlCOlZGV1AQIWZcy6Z2d
MD5:	7866D04A17B571DF84634FD14001D21F
SHA1:	C69DA8156B84AFF4E5C9AD9A9478B2D12BD6412E
SHA-256:	0154CA8A7D27F7E512B924FD5D5FB8FCB2EA7F4A039202C7B8B69D7A4B685AE6
SHA-512:	323434D4D53D8F9DA1C8C151B019BEF9909D614F16AD463C04E7094EE9C87A894D6ABF7A7DDD16D52EECDC3DAC919D4A78CA7907B12D264D1DAC17E6DC4BE573
Malicious:	false
Preview:	{"type":"health","id":"e90a4853-d3f2-4de9-8f20-71f9d94802fe","creationDate":"2024-10-25T12:29:08.105Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\e90a4853-d3f2-4de9-8f20-71f9d94802fe.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.95952988918183
Encrypted:	false
SSDEEP:	12:YZFgoYR86jJIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:Yp+JSlCOlZGV1AQIWZcy6Z2d
MD5:	7866D04A17B571DF84634FD14001D21F
SHA1:	C69DA8156B84AFF4E5C9AD9A9478B2D12BD6412E
SHA-256:	0154CA8A7D27F7E512B924FD5D5FB8FCB2EA7F4A039202C7B8B69D7A4B685AE6
SHA-512:	323434D4D53D8F9DA1C8C151B019BEF9909D614F16AD463C04E7094EE9C87A894D6ABF7A7DDD16D52EECDC3DAC919D4A78CA7907B12D264D1DAC17E6DC4BE573
Malicious:	false
Preview:	{"type":"health","id":"e90a4853-d3f2-4de9-8f20-71f9d94802fe","creationDate":"2024-10-25T12:29:08.105Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	6.355889717493253
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSpILXnIgrk/pnxQwRls6Zsphw3rGH3j6xiM+jtdL7QH2oXpTurD/I0y:cpOxDD8nRTZYhyaGxHSDkpTgwcR4
MD5:	835EECA8FF138ED1A2BA53FDF415EBA1
SHA1:	6F613C225C3F7B9095E09BB4A92105FF1C730127
SHA-256:	5F9C1FB01BD9007C12F864DD042C76F2DBB4B1A187A183F7E7E49B3D5D65F59A
SHA-512:	305876FE4BA1DBD479AA2DA9B9C7FC178459E1B76B28629D8C3C1FCBACDAFF75B6EAC030ED979EF00E7EF4D7224F317CD9A459ACC8629385340A9577CE79CDB0
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{b54405f6-fd62-4584-a783-152c30744a13}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729859324221,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m.............1":{..mUpdate...startTim..`287414...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..eexpiry....294434,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	6.355889717493253
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSpILXnIgrk/pnxQwRls6Zsphw3rGH3j6xiM+jtdL7QH2oXpTurD/I0y:cpOxDD8nRTZYhyaGxHSDkpTgwcR4
MD5:	835EECA8FF138ED1A2BA53FDF415EBA1
SHA1:	6F613C225C3F7B9095E09BB4A92105FF1C730127
SHA-256:	5F9C1FB01BD9007C12F864DD042C76F2DBB4B1A187A183F7E7E49B3D5D65F59A
SHA-512:	305876FE4BA1DBD479AA2DA9B9C7FC178459E1B76B28629D8C3C1FCBACDAFF75B6EAC030ED979EF00E7EF4D7224F317CD9A459ACC8629385340A9577CE79CDB0
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{b54405f6-fd62-4584-a783-152c30744a13}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729859324221,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m.............1":{..mUpdate...startTim..`287414...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..eexpiry....294434,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	6.355889717493253
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSpILXnIgrk/pnxQwRls6Zsphw3rGH3j6xiM+jtdL7QH2oXpTurD/I0y:cpOxDD8nRTZYhyaGxHSDkpTgwcR4
MD5:	835EECA8FF138ED1A2BA53FDF415EBA1
SHA1:	6F613C225C3F7B9095E09BB4A92105FF1C730127
SHA-256:	5F9C1FB01BD9007C12F864DD042C76F2DBB4B1A187A183F7E7E49B3D5D65F59A
SHA-512:	305876FE4BA1DBD479AA2DA9B9C7FC178459E1B76B28629D8C3C1FCBACDAFF75B6EAC030ED979EF00E7EF4D7224F317CD9A459ACC8629385340A9577CE79CDB0
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{b54405f6-fd62-4584-a783-152c30744a13}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729859324221,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m.............1":{..mUpdate...startTim..`287414...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..eexpiry....294434,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033691729692988
Encrypted:	false
SSDEEP:	48:YrSAYH6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycHyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	6C85F21097D403CDC7CBB292B21A9FB6
SHA1:	FB35FF0FEE66FC878470C0F0BC2DDA1DEA384B0D
SHA-256:	316A280D57362F661CD4D500345DD95B757A4CED484593ACED2604E155DB19C7
SHA-512:	60D13E841FEF9B961E8AB5A752BA79FA3DDB621CFD582F854745D3B2B3F541EBF25F32306FDA2DA749EA553CEE35458DA7866E0984778738EF427892DF438074
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T12:28:25.844Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033691729692988
Encrypted:	false
SSDEEP:	48:YrSAYH6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycHyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	6C85F21097D403CDC7CBB292B21A9FB6
SHA1:	FB35FF0FEE66FC878470C0F0BC2DDA1DEA384B0D
SHA-256:	316A280D57362F661CD4D500345DD95B757A4CED484593ACED2604E155DB19C7
SHA-512:	60D13E841FEF9B961E8AB5A752BA79FA3DDB621CFD582F854745D3B2B3F541EBF25F32306FDA2DA749EA553CEE35458DA7866E0984778738EF427892DF438074
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T12:28:25.844Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.58466545709541
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	9ce735e919479f12bad2322143e7f8fd
SHA1:	6e5ea899730617f90e6e0d74ad4b9f0605b2504a
SHA256:	8ad73c4ef11a15fcb55583e26925774e9c5d1a84b9d1a1349c27575c28cf18f6
SHA512:	fa69ee444b2476ff07b8f43a20e5766dbada3b7639ec8787b2b925efedfffc8dbf5d669ce5ce94e6dc60f901fdc08888029f580220af970d8a4d10dff21308f1
SSDEEP:	12288:rqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T2:rqDEvCTbMWu7rQYlBQcBiT6rprG8ab2
TLSH:	7F159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671B6FF4 [Fri Oct 25 10:16:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC85C8F01D3h
jmp 00007FC85C8EFADFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC85C8EFCBDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC85C8EFC8Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC85C8F287Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC85C8F28C8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC85C8F28B1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	b84240bef2774b10a21b74966518278b	False	0.3156398338607595	data	5.373677397668713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 12:33:18.139385939 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:18.139414072 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 12:33:18.139508009 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:18.144153118 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:18.144169092 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 12:33:18.770277977 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 12:33:18.770369053 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:18.779263020 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:18.779280901 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 12:33:18.779392004 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:18.779552937 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 12:33:18.779617071 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:21.120223999 CEST	49738	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:21.120246887 CEST	443	49738	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:21.120426893 CEST	49738	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:21.121903896 CEST	49738	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:21.121917009 CEST	443	49738	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:21.128315926 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:21.134020090 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:21.134289026 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:21.134475946 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:21.135395050 CEST	49740	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:21.135437965 CEST	443	49740	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:21.142327070 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:21.144248962 CEST	49740	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:21.147145987 CEST	49740	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:21.147161961 CEST	443	49740	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:21.302932978 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:21.302963018 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:21.303360939 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:21.303368092 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:21.307095051 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:21.307187080 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:21.308578014 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:21.308592081 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:21.308731079 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:21.308742046 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:21.378565073 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:21.378575087 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:21.379883051 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:21.381325006 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:21.381339073 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:21.756649971 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:21.800962925 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:21.894870996 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:21.894890070 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:21.901335955 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:21.901727915 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:21.901741028 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:21.927654028 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:21.932214975 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:21.932327032 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:21.932506084 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:21.935328007 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:21.935344934 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:21.935779095 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:21.938847065 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:21.938927889 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:21.939078093 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:21.940973997 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:21.940988064 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:21.941030979 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:21.941317081 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:21.941984892 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:21.941984892 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:21.942019939 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:21.992434978 CEST	443	49738	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:21.993432045 CEST	443	49738	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:21.994127035 CEST	49738	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:21.994136095 CEST	443	49738	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:22.012516022 CEST	49738	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:22.012527943 CEST	443	49738	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:22.012609005 CEST	49738	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:22.013262033 CEST	443	49738	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:22.015368938 CEST	443	49740	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:22.015387058 CEST	443	49740	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:22.016081095 CEST	49738	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:22.016093016 CEST	49740	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:22.016381979 CEST	443	49740	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:22.024786949 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:22.036458015 CEST	49740	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:22.036547899 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.047585964 CEST	49740	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:22.047612906 CEST	443	49740	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:22.047677040 CEST	49740	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:22.048047066 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.048089027 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:22.048124075 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.048204899 CEST	443	49740	172.217.18.14	192.168.2.4
Oct 25, 2024 12:33:22.048477888 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.048490047 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:22.048722029 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:22.051861048 CEST	49740	443	192.168.2.4	172.217.18.14
Oct 25, 2024 12:33:22.051914930 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.051928043 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.053370953 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.053383112 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:22.395414114 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:22.401396036 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:22.411221027 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:22.433583021 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:22.433676958 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:22.439026117 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:22.439100981 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:22.439109087 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:22.439172983 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:22.439203978 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:22.439310074 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:22.444605112 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:22.444802046 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:22.535036087 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:22.535172939 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:22.593283892 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:22.670531034 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:22.677963018 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.781543016 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:22.781554937 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:22.781929016 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:22.787554979 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:22.787678003 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:22.787789106 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.787802935 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:22.787870884 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.788033962 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:22.788067102 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:22.788189888 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:22.788203955 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:22.788249969 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:22.788264036 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:22.788290024 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:22.788427114 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:22.788439989 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:23.037328959 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:23.039191008 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:23.079058886 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:23.079057932 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:23.143974066 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:23.144000053 CEST	443	49751	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:23.148231030 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:23.149669886 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:23.149679899 CEST	443	49751	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:23.153109074 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:23.158916950 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:23.278681040 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:23.326488972 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:23.428529024 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:23.428596020 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:23.564161062 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:23.564192057 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:23.564599991 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:23.566782951 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:23.566782951 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:23.567018986 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 12:33:23.567117929 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 12:33:23.792001009 CEST	443	49751	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:23.795383930 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:23.800232887 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:23.800241947 CEST	443	49751	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:23.800312996 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:23.800446987 CEST	443	49751	34.117.188.166	192.168.2.4
Oct 25, 2024 12:33:23.800498962 CEST	49751	443	192.168.2.4	34.117.188.166
Oct 25, 2024 12:33:24.000097036 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:24.005510092 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:24.135653019 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:24.182205915 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:27.876280069 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:27.952434063 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:28.071108103 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:28.120654106 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:28.248447895 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:28.248471975 CEST	443	49753	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:28.252401114 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:28.253977060 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:28.253988981 CEST	443	49753	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:28.260941982 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:28.260965109 CEST	443	49754	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:28.262103081 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:28.262116909 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:28.262439013 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:28.263602018 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:28.263875008 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:28.263886929 CEST	443	49754	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:28.264029026 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:28.264045000 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:28.871505976 CEST	443	49753	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:28.871582985 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:28.872607946 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:28.875610113 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:28.877995968 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:28.878010035 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:28.878272057 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:28.878731012 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:28.878743887 CEST	443	49753	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:28.878808022 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:28.878989935 CEST	443	49753	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:28.880733013 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:28.880798101 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:28.880899906 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:28.881186962 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:28.881230116 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:28.889889956 CEST	443	49754	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:28.891370058 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:28.895693064 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:28.895704031 CEST	443	49754	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:28.895773888 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:28.895867109 CEST	443	49754	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:28.900515079 CEST	49754	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:31.460082054 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:31.465537071 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:31.469356060 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:31.469391108 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:31.469481945 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:31.470866919 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:31.470876932 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:31.586159945 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:31.640588999 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:32.085932016 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:32.088643074 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:32.320132971 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:32.320152044 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:32.326962948 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:32.328917027 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:32.328936100 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:32.330508947 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:32.330528021 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:32.330733061 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:32.331285954 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:32.331356049 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:32.576970100 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:32.577974081 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:32.579315901 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:32.579330921 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:32.580524921 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:32.582427025 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:32.582875967 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:32.582891941 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:32.583301067 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:32.702413082 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:32.702552080 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:32.743697882 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:32.743729115 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:32.959420919 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:32.959436893 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:32.959486008 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:33.206923008 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:33.207058907 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:33.321268082 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:33.321295977 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:33.321356058 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:33.321464062 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:33.321490049 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:33.321531057 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:33.321799040 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:33.321907043 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:33.324758053 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:33.324769974 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:35.061733961 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:35.067194939 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:35.185841084 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:35.186933994 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:35.191288948 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:35.202161074 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:35.202229023 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:35.203763962 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:35.203913927 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:35.203929901 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:35.221133947 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:35.221208096 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:35.222402096 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:35.222837925 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:35.222875118 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:35.237982035 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:35.310271978 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:35.353892088 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:35.803158045 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:35.803230047 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:35.836086035 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:35.836401939 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.035073996 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.035114050 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:36.035851002 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:36.037297964 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.037321091 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:36.038294077 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:36.039901018 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.039958954 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:36.040323019 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.042397022 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.042417049 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:36.044298887 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.044362068 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.044707060 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.044785976 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.044955015 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:36.045214891 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:36.045933008 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.045953035 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:36.054234028 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:36.058242083 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:36.059731007 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:36.288574934 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:36.288670063 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:36.341136932 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:36.407777071 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:36.457052946 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:36.682523966 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:36.682589054 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:37.685743093 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:37.685780048 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:37.685832977 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:37.686099052 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:37.687711000 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:37.692430973 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:37.693120956 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:37.814337969 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:37.861068964 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:38.299479008 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:38.302360058 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:38.302412987 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:38.304835081 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:38.305094004 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:38.306075096 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:38.306091070 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:38.313734055 CEST	49769	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:38.313747883 CEST	443	49769	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:38.320416927 CEST	49769	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:38.321820021 CEST	49769	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:38.321831942 CEST	443	49769	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:38.424386978 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:38.426996946 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:38.432482004 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:38.484967947 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:38.552716017 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:38.600866079 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:38.910960913 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:38.911039114 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:38.916188955 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:38.916205883 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:38.916301966 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:38.916496038 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:38.917376995 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:38.919266939 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:38.921655893 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:38.921701908 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:38.921886921 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:38.923078060 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:38.923095942 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:38.924936056 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:38.935450077 CEST	443	49769	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:38.935467958 CEST	443	49769	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:38.935522079 CEST	49769	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:38.940140963 CEST	49769	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:38.940150023 CEST	443	49769	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:38.940220118 CEST	49769	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:38.940407991 CEST	443	49769	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:38.940483093 CEST	49769	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:39.044984102 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:39.048172951 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:39.054265976 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:39.086689949 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:39.192195892 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:39.233839035 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:39.557184935 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:39.557514906 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:39.561574936 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:39.561589003 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:39.561672926 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:39.561789036 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 25, 2024 12:33:39.563172102 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:33:39.564122915 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:39.569833994 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:39.688946009 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:39.691688061 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:39.697087049 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:39.735337973 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:39.816884041 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:39.866830111 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:46.847368956 CEST	62505	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:46.847415924 CEST	443	62505	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:46.852622032 CEST	62505	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:46.852735043 CEST	62505	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:46.852741957 CEST	443	62505	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:46.872747898 CEST	62506	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:46.872797012 CEST	443	62506	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:46.873579025 CEST	62506	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:46.873713017 CEST	62506	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:46.873725891 CEST	443	62506	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:46.883469105 CEST	62507	443	192.168.2.4	151.101.1.91
Oct 25, 2024 12:33:46.883491993 CEST	443	62507	151.101.1.91	192.168.2.4
Oct 25, 2024 12:33:46.883829117 CEST	62507	443	192.168.2.4	151.101.1.91
Oct 25, 2024 12:33:46.883941889 CEST	62507	443	192.168.2.4	151.101.1.91
Oct 25, 2024 12:33:46.883950949 CEST	443	62507	151.101.1.91	192.168.2.4
Oct 25, 2024 12:33:46.895097017 CEST	62508	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:46.895127058 CEST	443	62508	35.190.72.216	192.168.2.4
Oct 25, 2024 12:33:46.898988962 CEST	62508	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:46.900376081 CEST	62508	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:46.900391102 CEST	443	62508	35.190.72.216	192.168.2.4
Oct 25, 2024 12:33:46.912002087 CEST	62509	443	192.168.2.4	35.201.103.21
Oct 25, 2024 12:33:46.912024975 CEST	443	62509	35.201.103.21	192.168.2.4
Oct 25, 2024 12:33:46.917321920 CEST	62509	443	192.168.2.4	35.201.103.21
Oct 25, 2024 12:33:46.918661118 CEST	62509	443	192.168.2.4	35.201.103.21
Oct 25, 2024 12:33:46.918670893 CEST	443	62509	35.201.103.21	192.168.2.4
Oct 25, 2024 12:33:47.464291096 CEST	443	62505	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:47.467955112 CEST	62505	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.471385002 CEST	62505	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.471391916 CEST	443	62505	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:47.471709013 CEST	443	62505	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:47.473598003 CEST	443	62506	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:47.473680019 CEST	62506	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:47.476442099 CEST	62506	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:47.476454020 CEST	443	62506	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:47.476757050 CEST	443	62506	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:47.477062941 CEST	62505	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.477163076 CEST	62505	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.477502108 CEST	443	62505	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:47.477861881 CEST	62505	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.479772091 CEST	62506	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:47.479844093 CEST	62506	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:47.479928970 CEST	443	62506	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:47.480854988 CEST	62506	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:47.482450008 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:47.487832069 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:47.505557060 CEST	443	62507	151.101.1.91	192.168.2.4
Oct 25, 2024 12:33:47.505619049 CEST	62507	443	192.168.2.4	151.101.1.91
Oct 25, 2024 12:33:47.508356094 CEST	443	62508	35.190.72.216	192.168.2.4
Oct 25, 2024 12:33:47.508554935 CEST	62507	443	192.168.2.4	151.101.1.91
Oct 25, 2024 12:33:47.508558989 CEST	443	62507	151.101.1.91	192.168.2.4
Oct 25, 2024 12:33:47.508776903 CEST	62508	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:47.508878946 CEST	443	62507	151.101.1.91	192.168.2.4
Oct 25, 2024 12:33:47.513505936 CEST	62507	443	192.168.2.4	151.101.1.91
Oct 25, 2024 12:33:47.513596058 CEST	62507	443	192.168.2.4	151.101.1.91
Oct 25, 2024 12:33:47.513660908 CEST	443	62507	151.101.1.91	192.168.2.4
Oct 25, 2024 12:33:47.513701916 CEST	62508	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:47.513736963 CEST	443	62508	35.190.72.216	192.168.2.4
Oct 25, 2024 12:33:47.513778925 CEST	62508	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:47.513885975 CEST	443	62508	35.190.72.216	192.168.2.4
Oct 25, 2024 12:33:47.514166117 CEST	62507	443	192.168.2.4	151.101.1.91
Oct 25, 2024 12:33:47.514179945 CEST	62508	443	192.168.2.4	35.190.72.216
Oct 25, 2024 12:33:47.521190882 CEST	62510	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.521241903 CEST	443	62510	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:47.521550894 CEST	62510	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.521678925 CEST	62510	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.521689892 CEST	443	62510	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:47.523360968 CEST	62511	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.523391008 CEST	443	62511	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:47.523683071 CEST	62511	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.523794889 CEST	62511	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.523802996 CEST	443	62511	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:47.525713921 CEST	62512	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.525732994 CEST	443	62512	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:47.525912046 CEST	62512	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.526024103 CEST	62512	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:47.526030064 CEST	443	62512	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:47.538364887 CEST	443	62509	35.201.103.21	192.168.2.4
Oct 25, 2024 12:33:47.538429022 CEST	62509	443	192.168.2.4	35.201.103.21
Oct 25, 2024 12:33:47.542942047 CEST	62509	443	192.168.2.4	35.201.103.21
Oct 25, 2024 12:33:47.542947054 CEST	443	62509	35.201.103.21	192.168.2.4
Oct 25, 2024 12:33:47.543019056 CEST	62509	443	192.168.2.4	35.201.103.21
Oct 25, 2024 12:33:47.543148994 CEST	443	62509	35.201.103.21	192.168.2.4
Oct 25, 2024 12:33:47.543409109 CEST	62509	443	192.168.2.4	35.201.103.21
Oct 25, 2024 12:33:47.553533077 CEST	62513	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:47.553580046 CEST	443	62513	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:47.553678989 CEST	62513	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:47.553750038 CEST	62513	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:47.553761005 CEST	443	62513	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:47.607455969 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:47.610430002 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:47.615979910 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:47.662981033 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:47.737479925 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:47.778979063 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:48.127599001 CEST	443	62510	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.127854109 CEST	62510	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.130110025 CEST	443	62512	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.130203009 CEST	62512	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.130707026 CEST	62510	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.130717993 CEST	443	62510	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.131236076 CEST	443	62510	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.132985115 CEST	62512	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.132996082 CEST	443	62512	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.133753061 CEST	443	62512	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.136553049 CEST	62510	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.136639118 CEST	62510	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.136883974 CEST	62512	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.136925936 CEST	62512	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.136997938 CEST	443	62510	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.137135983 CEST	443	62512	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.138434887 CEST	62512	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.138458967 CEST	62510	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.138464928 CEST	62512	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.141366959 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:48.146790028 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:48.174774885 CEST	443	62513	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:48.174891949 CEST	62513	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:48.175410032 CEST	443	62511	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.175688982 CEST	62511	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.177712917 CEST	62513	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:48.177727938 CEST	443	62513	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:48.178055048 CEST	443	62513	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:48.179831028 CEST	62511	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.179877996 CEST	443	62511	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.180802107 CEST	443	62511	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.183022976 CEST	62513	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:48.183111906 CEST	62513	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:48.183228970 CEST	443	62513	34.149.100.209	192.168.2.4
Oct 25, 2024 12:33:48.183425903 CEST	62511	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.183470011 CEST	62511	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.183859110 CEST	443	62511	35.244.181.201	192.168.2.4
Oct 25, 2024 12:33:48.184590101 CEST	62513	443	192.168.2.4	34.149.100.209
Oct 25, 2024 12:33:48.184593916 CEST	62511	443	192.168.2.4	35.244.181.201
Oct 25, 2024 12:33:48.265952110 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:48.268625975 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:48.274085045 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:48.311534882 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:48.395220995 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:48.449575901 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:49.033550024 CEST	62515	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:49.033592939 CEST	443	62515	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:49.033699989 CEST	62515	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:49.034934044 CEST	62515	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:49.034955978 CEST	443	62515	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:49.648718119 CEST	443	62515	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:49.648789883 CEST	62515	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:49.652641058 CEST	62515	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:49.652657986 CEST	443	62515	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:49.652725935 CEST	62515	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:49.653016090 CEST	443	62515	34.107.243.93	192.168.2.4
Oct 25, 2024 12:33:49.653078079 CEST	62515	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:33:49.655149937 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:49.660548925 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:49.779594898 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:49.782547951 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:49.787946939 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:49.838104010 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:49.907968998 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:49.969592094 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:59.787842035 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:59.793339968 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:33:59.925920963 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:33:59.931823015 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:09.775763988 CEST	62583	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:09.775820971 CEST	443	62583	34.107.243.93	192.168.2.4
Oct 25, 2024 12:34:09.777498007 CEST	62583	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:09.778688908 CEST	62583	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:09.778706074 CEST	443	62583	34.107.243.93	192.168.2.4
Oct 25, 2024 12:34:09.801460981 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:09.807104111 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:09.933042049 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:09.938714027 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:10.393975019 CEST	443	62583	34.107.243.93	192.168.2.4
Oct 25, 2024 12:34:10.394108057 CEST	62583	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:10.397531986 CEST	62583	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:10.397537947 CEST	443	62583	34.107.243.93	192.168.2.4
Oct 25, 2024 12:34:10.397608042 CEST	62583	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:10.397720098 CEST	443	62583	34.107.243.93	192.168.2.4
Oct 25, 2024 12:34:10.399127960 CEST	62583	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:10.399997950 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:10.405545950 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:10.524672031 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:10.537601948 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:10.543001890 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:10.588138103 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:10.663080931 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:10.704021931 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:16.817399025 CEST	62624	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:16.817451000 CEST	443	62624	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:16.817671061 CEST	62625	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:16.817717075 CEST	443	62625	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:16.817915916 CEST	62626	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:16.817924023 CEST	443	62626	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:16.818802118 CEST	62624	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:16.818819046 CEST	62625	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:16.818830013 CEST	62626	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:16.819014072 CEST	62624	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:16.819026947 CEST	443	62624	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:16.819138050 CEST	62625	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:16.819152117 CEST	443	62625	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:16.819192886 CEST	62626	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:16.819201946 CEST	443	62626	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.433737040 CEST	443	62625	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.434149981 CEST	443	62626	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.435337067 CEST	62625	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.435445070 CEST	62626	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.438793898 CEST	62625	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.438807011 CEST	443	62625	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.439124107 CEST	443	62625	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.441258907 CEST	62626	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.441273928 CEST	443	62626	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.441610098 CEST	443	62626	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.443430901 CEST	443	62624	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.444050074 CEST	62625	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.444189072 CEST	443	62625	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.444250107 CEST	62625	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.444258928 CEST	443	62625	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.444390059 CEST	62626	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.444453001 CEST	62626	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.444571972 CEST	443	62626	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.445252895 CEST	62626	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.445271015 CEST	62626	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.445282936 CEST	62624	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.445286036 CEST	62625	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.448177099 CEST	62624	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.448183060 CEST	443	62624	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.448659897 CEST	443	62624	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.450625896 CEST	62624	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.450694084 CEST	62624	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.450810909 CEST	443	62624	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.451807976 CEST	62624	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.451919079 CEST	62624	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.465336084 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:17.470782995 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:17.474762917 CEST	62632	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.474802971 CEST	443	62632	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.474874973 CEST	62633	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.474920988 CEST	443	62633	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.474980116 CEST	62634	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.474987984 CEST	443	62634	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.475059032 CEST	62633	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.475059986 CEST	62632	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.475167036 CEST	62632	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.475177050 CEST	443	62632	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.475266933 CEST	62633	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.475282907 CEST	443	62633	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.475490093 CEST	62634	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.475614071 CEST	62634	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.475625992 CEST	443	62634	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.478454113 CEST	62635	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.478466034 CEST	443	62635	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.478667021 CEST	62635	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.478759050 CEST	62635	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:17.478769064 CEST	443	62635	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:17.590094090 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:17.624150991 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:17.629801035 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:17.638477087 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:17.750345945 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:17.807878017 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:18.075836897 CEST	443	62633	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.075923920 CEST	62633	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.079292059 CEST	62633	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.079298973 CEST	443	62633	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.079489946 CEST	443	62633	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.081928015 CEST	62633	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.082020044 CEST	443	62633	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.082042933 CEST	62633	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.082048893 CEST	443	62633	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.084703922 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:18.090085030 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:18.092784882 CEST	443	62632	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.092866898 CEST	62632	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.096113920 CEST	62632	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.096124887 CEST	443	62632	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.096550941 CEST	443	62632	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.098623991 CEST	62632	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.098714113 CEST	62632	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.098807096 CEST	443	62632	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.098855019 CEST	62632	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.103739977 CEST	443	62634	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.103811026 CEST	62634	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.106594086 CEST	62634	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.106599092 CEST	443	62634	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.107156992 CEST	443	62634	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.109155893 CEST	62634	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.109239101 CEST	62634	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.109323978 CEST	443	62634	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.109368086 CEST	62634	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.124810934 CEST	443	62635	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.124883890 CEST	62635	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.127902031 CEST	62635	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.127916098 CEST	443	62635	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.128251076 CEST	443	62635	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.130203962 CEST	62635	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.130295038 CEST	62635	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.130373955 CEST	443	62635	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.130873919 CEST	62635	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.210632086 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:18.213505983 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:18.219126940 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:18.255812883 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:18.291322947 CEST	443	62633	34.120.208.123	192.168.2.4
Oct 25, 2024 12:34:18.291610003 CEST	62633	443	192.168.2.4	34.120.208.123
Oct 25, 2024 12:34:18.339306116 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:18.393997908 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:19.184801102 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:19.190439939 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:19.309916019 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:19.313394070 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:19.319226980 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:19.358972073 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:19.439327955 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:19.481432915 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:29.317740917 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:29.323446035 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:29.440299034 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:29.445987940 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:39.331056118 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:39.336436033 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:39.446937084 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:39.452486992 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:49.343214989 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:49.348685026 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:49.459135056 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:49.464715958 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:50.410931110 CEST	62791	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:50.411000013 CEST	443	62791	34.107.243.93	192.168.2.4
Oct 25, 2024 12:34:50.411297083 CEST	62791	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:50.412580013 CEST	62791	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:50.412635088 CEST	443	62791	34.107.243.93	192.168.2.4
Oct 25, 2024 12:34:51.051258087 CEST	443	62791	34.107.243.93	192.168.2.4
Oct 25, 2024 12:34:51.055808067 CEST	62791	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:51.061049938 CEST	62791	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:51.061072111 CEST	443	62791	34.107.243.93	192.168.2.4
Oct 25, 2024 12:34:51.061145067 CEST	62791	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:51.061203003 CEST	443	62791	34.107.243.93	192.168.2.4
Oct 25, 2024 12:34:51.063606024 CEST	62791	443	192.168.2.4	34.107.243.93
Oct 25, 2024 12:34:51.063716888 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:51.071394920 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:51.201374054 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:51.204905987 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:51.212445974 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:51.248230934 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:34:51.394361973 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:34:51.448847055 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:35:01.206742048 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:35:01.212805033 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:35:01.407219887 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:35:01.412700891 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:35:11.218190908 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:35:11.223921061 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:35:11.418848991 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:35:11.425044060 CEST	80	49747	34.107.221.82	192.168.2.4
Oct 25, 2024 12:35:21.229299068 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:35:21.235148907 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 25, 2024 12:35:21.429920912 CEST	49747	80	192.168.2.4	34.107.221.82
Oct 25, 2024 12:35:21.435616970 CEST	80	49747	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 12:33:18.139900923 CEST	58361	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:18.148566008 CEST	53	58361	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:18.156946898 CEST	49576	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:18.164654016 CEST	53	49576	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:20.914611101 CEST	49697	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:20.952887058 CEST	55042	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:20.962338924 CEST	53	55042	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:20.963026047 CEST	54992	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:20.970870972 CEST	53	54992	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.109112978 CEST	50705	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.119128942 CEST	53	50705	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.120373011 CEST	50524	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.138885975 CEST	53	50524	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.145203114 CEST	51396	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.155705929 CEST	53	51396	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.289467096 CEST	62224	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.296866894 CEST	53	62224	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.307292938 CEST	54136	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.308533907 CEST	53384	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.315361977 CEST	53	54136	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.316519022 CEST	53	53384	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.334599972 CEST	63751	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.334872007 CEST	57428	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.342756033 CEST	53	63751	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.342906952 CEST	53	57428	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.368207932 CEST	62202	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.375623941 CEST	53	62202	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.379292965 CEST	55710	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.387258053 CEST	53	55710	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.388264894 CEST	59333	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.396023989 CEST	53	59333	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.819689035 CEST	56079	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.827008009 CEST	53	56079	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.828675032 CEST	60664	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.835916042 CEST	53	60664	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:21.850610971 CEST	52685	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:21.858297110 CEST	53	52685	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:22.393420935 CEST	49885	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:22.393546104 CEST	64193	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:22.401294947 CEST	53	64193	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:22.401328087 CEST	53	49885	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:22.415262938 CEST	55089	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:22.416583061 CEST	50733	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:22.468792915 CEST	53	51938	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:27.829049110 CEST	51569	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:27.939033985 CEST	61946	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:27.953150988 CEST	53	51569	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:27.953167915 CEST	53	61946	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:27.954071999 CEST	56051	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:27.954875946 CEST	57768	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:27.962194920 CEST	53	57768	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:27.962688923 CEST	55629	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:27.962970972 CEST	53	56051	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:27.963468075 CEST	50398	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:27.970489979 CEST	53	55629	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:27.970899105 CEST	53	50398	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:28.236229897 CEST	59954	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:28.244405985 CEST	53	59954	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:28.261523008 CEST	59118	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:28.268709898 CEST	53	59118	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:28.275382996 CEST	59522	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:28.284682989 CEST	53	59522	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:31.498550892 CEST	65530	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:31.506433964 CEST	53	65530	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:32.320034027 CEST	57495	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:32.327678919 CEST	53	57495	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:32.331278086 CEST	64047	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:32.338877916 CEST	53	64047	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:35.202752113 CEST	60483	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:35.210278988 CEST	53	60483	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:38.314035892 CEST	63403	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:38.321700096 CEST	53	63403	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.322324038 CEST	54584	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.322324038 CEST	55442	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.322649002 CEST	64892	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.330185890 CEST	53	54584	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.330231905 CEST	53	55442	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.330266953 CEST	53	64892	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.330858946 CEST	52101	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.331012964 CEST	60357	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.331494093 CEST	57638	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.338429928 CEST	53	52101	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.338583946 CEST	53	60357	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.339168072 CEST	53748	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.339215040 CEST	64876	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.339426994 CEST	53	57638	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.339895964 CEST	61068	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.346986055 CEST	53	64876	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.347103119 CEST	53	53748	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.347526073 CEST	57268	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.347659111 CEST	53	61068	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.348020077 CEST	58699	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.355281115 CEST	53	57268	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.356415033 CEST	53	58699	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.356981039 CEST	56639	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.364660978 CEST	53	56639	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.365087986 CEST	64192	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.372570038 CEST	53	64192	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.950829983 CEST	58021	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.958219051 CEST	53	58021	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:40.959023952 CEST	64244	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:40.967452049 CEST	53	64244	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:46.848311901 CEST	54490	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:46.856425047 CEST	53	54490	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:46.869379044 CEST	62871	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:46.877871990 CEST	53	62871	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:46.883774042 CEST	65091	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:46.891951084 CEST	53	65091	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:46.897250891 CEST	64884	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:46.901017904 CEST	55619	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:46.907493114 CEST	53	64884	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:46.908791065 CEST	53	55619	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:46.912503004 CEST	59191	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:46.920486927 CEST	53	59191	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:46.921633005 CEST	57779	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:46.929061890 CEST	53	57779	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:49.025135994 CEST	53844	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:49.032594919 CEST	53	53844	1.1.1.1	192.168.2.4
Oct 25, 2024 12:33:49.033628941 CEST	58527	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:33:49.041043043 CEST	53	58527	1.1.1.1	192.168.2.4
Oct 25, 2024 12:34:09.775449038 CEST	62937	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:34:09.783262968 CEST	53	62937	1.1.1.1	192.168.2.4
Oct 25, 2024 12:34:10.400222063 CEST	63476	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:34:16.801920891 CEST	57606	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:34:16.810115099 CEST	53	57606	1.1.1.1	192.168.2.4
Oct 25, 2024 12:34:50.402404070 CEST	51242	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:34:50.409931898 CEST	53	51242	1.1.1.1	192.168.2.4
Oct 25, 2024 12:34:50.410845995 CEST	59291	53	192.168.2.4	1.1.1.1
Oct 25, 2024 12:34:50.418453932 CEST	53	59291	1.1.1.1	192.168.2.4
Oct 25, 2024 12:34:51.063922882 CEST	58684	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 12:33:18.139900923 CEST	192.168.2.4	1.1.1.1	0x8475	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:18.156946898 CEST	192.168.2.4	1.1.1.1	0x62fd	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 12:33:20.914611101 CEST	192.168.2.4	1.1.1.1	0xf40c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:20.952887058 CEST	192.168.2.4	1.1.1.1	0x7061	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:20.963026047 CEST	192.168.2.4	1.1.1.1	0x3a7e	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 12:33:21.109112978 CEST	192.168.2.4	1.1.1.1	0x1c0b	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.120373011 CEST	192.168.2.4	1.1.1.1	0xacf9	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.145203114 CEST	192.168.2.4	1.1.1.1	0x25f4	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 25, 2024 12:33:21.289467096 CEST	192.168.2.4	1.1.1.1	0xcce2	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.307292938 CEST	192.168.2.4	1.1.1.1	0x454f	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.308533907 CEST	192.168.2.4	1.1.1.1	0x3b61	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.334599972 CEST	192.168.2.4	1.1.1.1	0x18e5	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 12:33:21.334872007 CEST	192.168.2.4	1.1.1.1	0xd2f7	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 12:33:21.368207932 CEST	192.168.2.4	1.1.1.1	0x9db	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.379292965 CEST	192.168.2.4	1.1.1.1	0x9e4	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.388264894 CEST	192.168.2.4	1.1.1.1	0x1bf9	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 12:33:21.819689035 CEST	192.168.2.4	1.1.1.1	0x5ece	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.828675032 CEST	192.168.2.4	1.1.1.1	0x42b3	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.850610971 CEST	192.168.2.4	1.1.1.1	0x32e5	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 12:33:22.393420935 CEST	192.168.2.4	1.1.1.1	0xaa80	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:22.393546104 CEST	192.168.2.4	1.1.1.1	0xf966	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:22.415262938 CEST	192.168.2.4	1.1.1.1	0x1f3d	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:22.416583061 CEST	192.168.2.4	1.1.1.1	0xe28e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:27.829049110 CEST	192.168.2.4	1.1.1.1	0xd219	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:27.939033985 CEST	192.168.2.4	1.1.1.1	0x4fa0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:27.954071999 CEST	192.168.2.4	1.1.1.1	0x4bf4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:27.954875946 CEST	192.168.2.4	1.1.1.1	0xdb26	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:27.962688923 CEST	192.168.2.4	1.1.1.1	0xe697	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 12:33:27.963468075 CEST	192.168.2.4	1.1.1.1	0x1a7	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 12:33:28.236229897 CEST	192.168.2.4	1.1.1.1	0xf7d5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 12:33:28.261523008 CEST	192.168.2.4	1.1.1.1	0x57e5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:28.275382996 CEST	192.168.2.4	1.1.1.1	0x67af	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 12:33:31.498550892 CEST	192.168.2.4	1.1.1.1	0xf448	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:32.320034027 CEST	192.168.2.4	1.1.1.1	0x49a3	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:32.331278086 CEST	192.168.2.4	1.1.1.1	0x8745	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 12:33:35.202752113 CEST	192.168.2.4	1.1.1.1	0x5f86	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 12:33:38.314035892 CEST	192.168.2.4	1.1.1.1	0x812b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 12:33:40.322324038 CEST	192.168.2.4	1.1.1.1	0x3557	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.322324038 CEST	192.168.2.4	1.1.1.1	0x4e3a	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.322649002 CEST	192.168.2.4	1.1.1.1	0x7b33	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330858946 CEST	192.168.2.4	1.1.1.1	0xcf8d	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.331012964 CEST	192.168.2.4	1.1.1.1	0x3d17	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.331494093 CEST	192.168.2.4	1.1.1.1	0x76aa	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339168072 CEST	192.168.2.4	1.1.1.1	0x742	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 25, 2024 12:33:40.339215040 CEST	192.168.2.4	1.1.1.1	0xe2e3	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 25, 2024 12:33:40.339895964 CEST	192.168.2.4	1.1.1.1	0xec2b	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 25, 2024 12:33:40.347526073 CEST	192.168.2.4	1.1.1.1	0x98e5	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.348020077 CEST	192.168.2.4	1.1.1.1	0x38b5	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.356981039 CEST	192.168.2.4	1.1.1.1	0x9c16	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.365087986 CEST	192.168.2.4	1.1.1.1	0xce45	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 25, 2024 12:33:40.950829983 CEST	192.168.2.4	1.1.1.1	0xc5c4	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.959023952 CEST	192.168.2.4	1.1.1.1	0xe212	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 25, 2024 12:33:46.848311901 CEST	192.168.2.4	1.1.1.1	0x9089	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 12:33:46.869379044 CEST	192.168.2.4	1.1.1.1	0x5beb	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.883774042 CEST	192.168.2.4	1.1.1.1	0x779a	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.897250891 CEST	192.168.2.4	1.1.1.1	0xb937	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.901017904 CEST	192.168.2.4	1.1.1.1	0x947e	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 25, 2024 12:33:46.912503004 CEST	192.168.2.4	1.1.1.1	0x2007	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.921633005 CEST	192.168.2.4	1.1.1.1	0x7d00	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 12:33:49.025135994 CEST	192.168.2.4	1.1.1.1	0xaadf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:49.033628941 CEST	192.168.2.4	1.1.1.1	0xb6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 12:34:09.775449038 CEST	192.168.2.4	1.1.1.1	0xbc6a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 12:34:10.400222063 CEST	192.168.2.4	1.1.1.1	0x1109	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:34:16.801920891 CEST	192.168.2.4	1.1.1.1	0xf93d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 12:34:50.402404070 CEST	192.168.2.4	1.1.1.1	0xd3da	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:34:50.410845995 CEST	192.168.2.4	1.1.1.1	0x8261	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 12:34:51.063922882 CEST	192.168.2.4	1.1.1.1	0x4db5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 12:33:18.119781017 CEST	1.1.1.1	192.168.2.4	0xdb11	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:18.148566008 CEST	1.1.1.1	192.168.2.4	0x8475	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:20.951647997 CEST	1.1.1.1	192.168.2.4	0xf40c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:20.951647997 CEST	1.1.1.1	192.168.2.4	0xf40c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:20.962338924 CEST	1.1.1.1	192.168.2.4	0x7061	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:20.970870972 CEST	1.1.1.1	192.168.2.4	0x3a7e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 12:33:21.119128942 CEST	1.1.1.1	192.168.2.4	0x1c0b	No error (0)	youtube.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.138885975 CEST	1.1.1.1	192.168.2.4	0xacf9	No error (0)	youtube.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.155705929 CEST	1.1.1.1	192.168.2.4	0x25f4	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 25, 2024 12:33:21.296135902 CEST	1.1.1.1	192.168.2.4	0xaa95	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:21.296135902 CEST	1.1.1.1	192.168.2.4	0xaa95	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.296866894 CEST	1.1.1.1	192.168.2.4	0xcce2	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.315361977 CEST	1.1.1.1	192.168.2.4	0x454f	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.316519022 CEST	1.1.1.1	192.168.2.4	0x3b61	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.375623941 CEST	1.1.1.1	192.168.2.4	0x9db	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:21.375623941 CEST	1.1.1.1	192.168.2.4	0x9db	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.387258053 CEST	1.1.1.1	192.168.2.4	0x9e4	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.827008009 CEST	1.1.1.1	192.168.2.4	0x5ece	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:21.827008009 CEST	1.1.1.1	192.168.2.4	0x5ece	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:21.827008009 CEST	1.1.1.1	192.168.2.4	0x5ece	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.835916042 CEST	1.1.1.1	192.168.2.4	0x42b3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:21.858297110 CEST	1.1.1.1	192.168.2.4	0x32e5	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 12:33:22.401294947 CEST	1.1.1.1	192.168.2.4	0xf966	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:22.401328087 CEST	1.1.1.1	192.168.2.4	0xaa80	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:22.401328087 CEST	1.1.1.1	192.168.2.4	0xaa80	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:22.423419952 CEST	1.1.1.1	192.168.2.4	0x1f3d	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:22.424330950 CEST	1.1.1.1	192.168.2.4	0xe28e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:22.424330950 CEST	1.1.1.1	192.168.2.4	0xe28e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:27.953150988 CEST	1.1.1.1	192.168.2.4	0xd219	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:27.953150988 CEST	1.1.1.1	192.168.2.4	0xd219	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:27.953150988 CEST	1.1.1.1	192.168.2.4	0xd219	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:27.953167915 CEST	1.1.1.1	192.168.2.4	0x4fa0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:27.962194920 CEST	1.1.1.1	192.168.2.4	0xdb26	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:27.962970972 CEST	1.1.1.1	192.168.2.4	0x4bf4	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:28.243777990 CEST	1.1.1.1	192.168.2.4	0x6214	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:28.243777990 CEST	1.1.1.1	192.168.2.4	0x6214	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:28.244643927 CEST	1.1.1.1	192.168.2.4	0xdfe7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:28.268709898 CEST	1.1.1.1	192.168.2.4	0x57e5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:31.468477011 CEST	1.1.1.1	192.168.2.4	0xe7b3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:31.506433964 CEST	1.1.1.1	192.168.2.4	0xf448	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:31.506433964 CEST	1.1.1.1	192.168.2.4	0xf448	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:32.327678919 CEST	1.1.1.1	192.168.2.4	0x49a3	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330185890 CEST	1.1.1.1	192.168.2.4	0x3557	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330185890 CEST	1.1.1.1	192.168.2.4	0x3557	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330231905 CEST	1.1.1.1	192.168.2.4	0x4e3a	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330266953 CEST	1.1.1.1	192.168.2.4	0x7b33	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:40.330266953 CEST	1.1.1.1	192.168.2.4	0x7b33	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.338429928 CEST	1.1.1.1	192.168.2.4	0xcf8d	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.338583946 CEST	1.1.1.1	192.168.2.4	0x3d17	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.339426994 CEST	1.1.1.1	192.168.2.4	0x76aa	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.346986055 CEST	1.1.1.1	192.168.2.4	0xe2e3	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 25, 2024 12:33:40.347103119 CEST	1.1.1.1	192.168.2.4	0x742	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 25, 2024 12:33:40.347659111 CEST	1.1.1.1	192.168.2.4	0xec2b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 12:33:40.347659111 CEST	1.1.1.1	192.168.2.4	0xec2b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 12:33:40.347659111 CEST	1.1.1.1	192.168.2.4	0xec2b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 12:33:40.347659111 CEST	1.1.1.1	192.168.2.4	0xec2b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 12:33:40.356415033 CEST	1.1.1.1	192.168.2.4	0x38b5	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.364660978 CEST	1.1.1.1	192.168.2.4	0x9c16	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.958219051 CEST	1.1.1.1	192.168.2.4	0xc5c4	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.958219051 CEST	1.1.1.1	192.168.2.4	0xc5c4	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.958219051 CEST	1.1.1.1	192.168.2.4	0xc5c4	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:40.958219051 CEST	1.1.1.1	192.168.2.4	0xc5c4	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.877871990 CEST	1.1.1.1	192.168.2.4	0x5beb	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.877871990 CEST	1.1.1.1	192.168.2.4	0x5beb	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.877871990 CEST	1.1.1.1	192.168.2.4	0x5beb	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.877871990 CEST	1.1.1.1	192.168.2.4	0x5beb	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.891951084 CEST	1.1.1.1	192.168.2.4	0x779a	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.891951084 CEST	1.1.1.1	192.168.2.4	0x779a	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.891951084 CEST	1.1.1.1	192.168.2.4	0x779a	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.891951084 CEST	1.1.1.1	192.168.2.4	0x779a	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.907493114 CEST	1.1.1.1	192.168.2.4	0xb937	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:46.907493114 CEST	1.1.1.1	192.168.2.4	0xb937	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:46.920486927 CEST	1.1.1.1	192.168.2.4	0x2007	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:33:48.153737068 CEST	1.1.1.1	192.168.2.4	0x4b8f	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:48.153737068 CEST	1.1.1.1	192.168.2.4	0x4b8f	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:33:49.032594919 CEST	1.1.1.1	192.168.2.4	0xaadf	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:34:10.407674074 CEST	1.1.1.1	192.168.2.4	0x1109	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:34:10.407674074 CEST	1.1.1.1	192.168.2.4	0x1109	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:34:16.809031963 CEST	1.1.1.1	192.168.2.4	0x20cc	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:34:50.409931898 CEST	1.1.1.1	192.168.2.4	0xd3da	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 12:34:51.073223114 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 12:34:51.073223114 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	7888	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 12:33:21.134475946 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:21.756649971 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79407 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49747	34.107.221.82	80	7888	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 12:33:22.439203978 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:23.039191008 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71639 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:23.153109074 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:23.278681040 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71640 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:27.876280069 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:28.071108103 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71645 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:32.576970100 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:32.702552080 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71649 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:35.061733961 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:35.186933994 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71652 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:36.054234028 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:36.288574934 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71653 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:37.687711000 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:37.814337969 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71654 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:38.426996946 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:38.552716017 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71655 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:39.048172951 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:39.192195892 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71656 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:39.691688061 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:39.816884041 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71656 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:47.610430002 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:47.737479925 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71664 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:48.268625975 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:48.395220995 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71665 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:49.782547951 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:33:49.907968998 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71666 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:33:59.925920963 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:34:09.933042049 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:34:10.537601948 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:34:10.663080931 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71687 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:34:17.624150991 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:34:17.750345945 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71694 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:34:18.213505983 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:34:18.339306116 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71695 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:34:19.313394070 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:34:19.439327955 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71696 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:34:29.440299034 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:34:39.446937084 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:34:49.459135056 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:34:51.204905987 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 12:34:51.394361973 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 71728 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 12:35:01.407219887 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:35:11.418848991 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:35:21.429920912 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49748	34.107.221.82	80	7888	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 12:33:22.439310074 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:23.037328959 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79408 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:24.000097036 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:24.135653019 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79410 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:31.460082054 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:31.586159945 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79417 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:32.577974081 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:32.702413082 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79418 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:35.185841084 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:35.310271978 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79421 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:36.058242083 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:36.407777071 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79422 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:38.299479008 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:38.424386978 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79424 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:38.919266939 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:39.044984102 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79424 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:39.564122915 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:39.688946009 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79425 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:47.482450008 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:47.607455969 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79433 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:48.141366959 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:48.265952110 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79434 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:49.655149937 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:33:49.779594898 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79435 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:33:59.787842035 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:34:09.801460981 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:34:10.399997950 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:34:10.524672031 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79456 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:34:17.465336084 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:34:17.590094090 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79463 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:34:18.084703922 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:34:18.210632086 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79464 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:34:19.184801102 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:34:19.309916019 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79465 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:34:29.317740917 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:34:39.331056118 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:34:49.343214989 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:34:51.063716888 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 12:34:51.201374054 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 79497 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 12:35:01.206742048 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:35:11.218190908 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 12:35:21.229299068 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	06:33:11
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x210000
File size:	919'552 bytes
MD5 hash:	9CE735E919479F12BAD2322143E7F8FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:33:11
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x380000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:33:11
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:33:13
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x380000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:33:13
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:33:14
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x380000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:33:14
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:33:14
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x380000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:33:14
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:33:14
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x380000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:33:14
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:33:14
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:33:15
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:33:15
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	06:33:16
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9360d544-258c-40b5-a705-da6290788a6c} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149c916d910 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:33:18
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -parentBuildID 20230927232528 -prefsHandle 4052 -prefMapHandle 3756 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4731ba06-e2a7-4d6f-bfe3-821b0451661e} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149d8f2ff10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	06:33:27
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3476 -prefMapHandle 5344 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82f3dcb-940f-40be-aa64-48f297a6d19a} 7888 "\\.\pipe\gecko-crash-server-pipe.7888" 149dafc0d10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1550
Total number of Limit Nodes:	50

Executed Functions

Function 002142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0021430D

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

GetCurrentProcess.KERNEL32(?,002ACB64,00000000,?,?), ref: 00214422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00214429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00214454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00214466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00214474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0021447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002144A0

Strings

kernel32.dll, xrefs: 0021444F
GetNativeSystemInfo, xrefs: 00214460
|O, xrefs: 002536F8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8bff81ab9414dd8875c4cf462b3f75a2591af8c6a2b7923b04f446a2dd2a0be3
Instruction ID: 68e9de9a00776e5683bff418f55ec1745a0901f8ad5a6a8aa30c3b74dcd6255e
Opcode Fuzzy Hash: 8bff81ab9414dd8875c4cf462b3f75a2591af8c6a2b7923b04f446a2dd2a0be3
Instruction Fuzzy Hash: 34A103729AA2C0CFCB11DB697CCC1D87FE46B36740B1858F8E4459BA62D27049B8CB35

Function 002142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002150AA,?,?,00000000,00000000), ref: 002142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002150AA,?,?,00000000,00000000), ref: 002142C9
LoadResource.KERNEL32(?,00000000,?,?,002150AA,?,?,00000000,00000000,?,?,?,?,?,?,00214F20), ref: 002535BE
SizeofResource.KERNEL32(?,00000000,?,?,002150AA,?,?,00000000,00000000,?,?,?,?,?,?,00214F20), ref: 002535D3
LockResource.KERNEL32(002150AA,?,?,002150AA,?,?,00000000,00000000,?,?,?,?,?,?,00214F20,?), ref: 002535E6

Strings

SCRIPT, xrefs: 002142BF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 3c3a007a9d82a40ae2ecdb9468dd287d658f4ff1312721fb95e47641610dff6a
Instruction ID: 4c6772e0a01112904648ddf7c5ed991810e88c3e49dd5a0d78ceed3861e3b646
Opcode Fuzzy Hash: 3c3a007a9d82a40ae2ecdb9468dd287d658f4ff1312721fb95e47641610dff6a
Instruction Fuzzy Hash: E1117C70210701BFE7219F65EC48F677BBAEBD6B51F20416AB80696250DF72D8508620

Function 00252BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00212B6B

Part of subcall function 00213A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002E1418,?,00212E7F,?,?,?,00000000), ref: 00213A78

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,002D2224), ref: 00252C10
ShellExecuteW.SHELL32(00000000,?,?,002D2224), ref: 00252C17

Strings

runas, xrefs: 00252C0B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: fb7ac261620dc6cefda0cf499ccc18ec28d49682d6ca50f7649a8e361454483a
Instruction ID: 74a5920e7b16435ce212562375f0048da29b7add1e8c207240f1e22e3f4fc463
Opcode Fuzzy Hash: fb7ac261620dc6cefda0cf499ccc18ec28d49682d6ca50f7649a8e361454483a
Instruction Fuzzy Hash: 8511D2312283459AC704FF20E855AEEB7E99BB6314F44042EB182121A2CF709AFD8B52

Function 0027D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0027D501
Process32FirstW.KERNEL32(00000000,?), ref: 0027D50F
Process32NextW.KERNEL32(00000000,?), ref: 0027D52F
CloseHandle.KERNELBASE(00000000), ref: 0027D5DC

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 84794726a7c770d7eabdc098b7ab7a6c4111a67b03534495c1fd9cb336c74079
Instruction ID: abb2b818f8819aaf9d5fab4aae4e601b745bdeb950678d6c0ebf3b36626b2c99
Opcode Fuzzy Hash: 84794726a7c770d7eabdc098b7ab7a6c4111a67b03534495c1fd9cb336c74079
Instruction Fuzzy Hash: 4431D171118301AFD300EF54D895AAFBBF8EFA9344F50492DF589831A1EF719998CB92

Function 0027DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00255222), ref: 0027DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0027DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0027DBEE
FindClose.KERNEL32(00000000), ref: 0027DBFA

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d50cf9d9a4fe128cbc04b4fa34061f538d8182da2342d906374d3719878cfdbe
Instruction ID: 6a4f542907c364cb615c4039386603e1615a41298cb9ea2bdbac143ecb656bf0
Opcode Fuzzy Hash: d50cf9d9a4fe128cbc04b4fa34061f538d8182da2342d906374d3719878cfdbe
Instruction Fuzzy Hash: 45F0E5308209105782216F7CBC0D8AA37BC9E02334BA0870BF83AC20F0EFB05D64C6D5

Function 00234CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002428E9,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002,00000000,?,002428E9), ref: 00234D09
TerminateProcess.KERNEL32(00000000,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002,00000000,?,002428E9), ref: 00234D10
ExitProcess.KERNEL32 ref: 00234D22

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6af6fb33caa57ee31b15f0e870a26a7b9b468ecbadae8905e0eca8a5625c773f
Instruction ID: edf255b932748bfdb168af83c11c90475531751bd2a6083585b8f88cb655af18
Opcode Fuzzy Hash: 6af6fb33caa57ee31b15f0e870a26a7b9b468ecbadae8905e0eca8a5625c773f
Instruction Fuzzy Hash: FEE0B671010149ABCF11BF54ED0DA593B69EB46781F204094FC099A132CF35ED62CE80

Function 0021BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#., xrefs: 002607CE

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#.
API String ID: 3964851224-3385838572
Opcode ID: b0a9db2ec1735f748cd5b8258a7d96d8fb7d68bc565947a30cca2da25658056f
Instruction ID: d3eed617f1dad90ca229d7e4e65ad672f0cec6183a3d5deab3b21966c7fa4ca7
Opcode Fuzzy Hash: b0a9db2ec1735f748cd5b8258a7d96d8fb7d68bc565947a30cca2da25658056f
Instruction Fuzzy Hash: 71A279746283419FD714CF24C480B6AB7E1BF99304F24896DE89A8B352D771ECA5CF92

Function 0029AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0029B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029B1D4
_wcslen.LIBCMT ref: 0029B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029B236
_wcslen.LIBCMT ref: 0029B332

Part of subcall function 002805A7: GetStdHandle.KERNEL32(000000F6), ref: 002805C6

_wcslen.LIBCMT ref: 0029B34B
_wcslen.LIBCMT ref: 0029B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0029B3B6
GetLastError.KERNEL32(00000000), ref: 0029B407
CloseHandle.KERNEL32(?), ref: 0029B439
CloseHandle.KERNEL32(00000000), ref: 0029B44A
CloseHandle.KERNEL32(00000000), ref: 0029B45C
CloseHandle.KERNEL32(00000000), ref: 0029B46E
CloseHandle.KERNEL32(?), ref: 0029B4E3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5c4a7649c65e748bd9900975c7af7b1d85d46440952b7ef814dff1f23d3f6bdc
Instruction ID: 324effe7ccc403362b01b2e6b38f347f7ed58c57cc297531a4ce008427428db0
Opcode Fuzzy Hash: 5c4a7649c65e748bd9900975c7af7b1d85d46440952b7ef814dff1f23d3f6bdc
Instruction Fuzzy Hash: 3EF1BE316243419FCB15EF24D991B6EBBE5AF85310F14845DF8898B2A2DB31EC64CF92

Function 0021D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0021D807
timeGetTime.WINMM ref: 0021DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0021DB28
TranslateMessage.USER32(?), ref: 0021DB7B
DispatchMessageW.USER32(?), ref: 0021DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0021DB9F
Sleep.KERNELBASE(0000000A), ref: 0021DBB1

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 01b1d7cfc392f928544bbb28b68fb2accb899162fe0ef2c2386c04f9ff54b15f
Instruction ID: a206443a3d4ab2e7828e1aaf01771210fd04037baf12e35386840df738cda6ca
Opcode Fuzzy Hash: 01b1d7cfc392f928544bbb28b68fb2accb899162fe0ef2c2386c04f9ff54b15f
Instruction Fuzzy Hash: 4B42F430628742DFD729CF24C888BAAB7E4BF55304F14455DE4968B291D7B4E8E8CF92

Function 00212CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00212D07
RegisterClassExW.USER32(00000030), ref: 00212D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00212D42
InitCommonControlsEx.COMCTL32(?), ref: 00212D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00212D6F
LoadIconW.USER32(000000A9), ref: 00212D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00212D94

Strings

+, xrefs: 00212CF0
TaskbarCreated, xrefs: 00212D37
0, xrefs: 00212CE9
AutoIt v3 GUI, xrefs: 00212D23

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 24a3af4d6f0f9da16408cfe15e6fdc7eec3952081f5bd4802dc2bcbca6a7b1a9
Instruction ID: 5823bec68cf755554668ad8dc071430e82fff3e1ff8f9d91a4fc792db9fcca21
Opcode Fuzzy Hash: 24a3af4d6f0f9da16408cfe15e6fdc7eec3952081f5bd4802dc2bcbca6a7b1a9
Instruction Fuzzy Hash: C421B4B5951258AFDB00DFA4FC89BDDBBB8FB09700F10412AE511AA2A0DBB545548F91

Function 0025065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0025039A: CreateFileW.KERNELBASE(00000000,00000000,?,00250704,?,?,00000000,?,00250704,00000000,0000000C), ref: 002503B7

GetLastError.KERNEL32 ref: 0025076F
__dosmaperr.LIBCMT ref: 00250776
GetFileType.KERNELBASE(00000000), ref: 00250782
GetLastError.KERNEL32 ref: 0025078C
__dosmaperr.LIBCMT ref: 00250795
CloseHandle.KERNEL32(00000000), ref: 002507B5
CloseHandle.KERNEL32(?), ref: 002508FF
GetLastError.KERNEL32 ref: 00250931
__dosmaperr.LIBCMT ref: 00250938

Strings

H, xrefs: 002508BD

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 2a0e1a1ecbbe2bf190547002b9d1cdd371920f28310cb10ee78ac247e6450a24
Instruction ID: 136cc8579d319c3c2704e33a553655abfc9a2bcdab72d88c5a02bbb4b61934fa
Opcode Fuzzy Hash: 2a0e1a1ecbbe2bf190547002b9d1cdd371920f28310cb10ee78ac247e6450a24
Instruction Fuzzy Hash: 73A15732A201058FDF19AF68ECD5BAE7BA0AB06321F140159FC159F391CB309C27CB95

Function 0021344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00213A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002E1418,?,00212E7F,?,?,?,00000000), ref: 00213A78

Part of subcall function 00213357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00213379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0021356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0025318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002531CE
RegCloseKey.ADVAPI32(?), ref: 00253210
_wcslen.LIBCMT ref: 00253277
_wcslen.LIBCMT ref: 00253286

Strings

Include, xrefs: 00253184, 002531C5
\Include\, xrefs: 00213527
\, xrefs: 0025328C
Software\AutoIt v3\AutoIt, xrefs: 00213560

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f73f934368dbcdc3c1f3e6d94ec3c789b758720951fc5a29a08dc7ff90dea4f5
Instruction ID: 44921d6cc36a0688bde9f6072997bca40cfc4684e654de199ecbc8b724ecdc79
Opcode Fuzzy Hash: f73f934368dbcdc3c1f3e6d94ec3c789b758720951fc5a29a08dc7ff90dea4f5
Instruction Fuzzy Hash: 03717C71464341DEC314EF65EC869ABBBE8FF95340F40046EF94697160EB709A98CFA1

Function 00212B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00212B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00212B9D
LoadIconW.USER32(00000063), ref: 00212BB3
LoadIconW.USER32(000000A4), ref: 00212BC5
LoadIconW.USER32(000000A2), ref: 00212BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00212BEF
RegisterClassExW.USER32(?), ref: 00212C40

Part of subcall function 00212CD4: GetSysColorBrush.USER32(0000000F), ref: 00212D07
Part of subcall function 00212CD4: RegisterClassExW.USER32(00000030), ref: 00212D31
Part of subcall function 00212CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00212D42
Part of subcall function 00212CD4: InitCommonControlsEx.COMCTL32(?), ref: 00212D5F
Part of subcall function 00212CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00212D6F
Part of subcall function 00212CD4: LoadIconW.USER32(000000A9), ref: 00212D85
Part of subcall function 00212CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00212D94

Strings

#, xrefs: 00212C16
0, xrefs: 00212C0F
AutoIt v3, xrefs: 00212C2F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 387310914000a3554992066173608bf09ce5dbba6a35befa13b671e4a6694a63
Instruction ID: 22a79f6a61331cee4103f334d4b4d8cc9e728f7cded628fd2b947214ff8bbf1b
Opcode Fuzzy Hash: 387310914000a3554992066173608bf09ce5dbba6a35befa13b671e4a6694a63
Instruction Fuzzy Hash: 0E210C75E90354ABDB109F95FC9DAADBFB4FB48B50F1000AAE500AA6A0D7B11560CF90

Function 00213170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0021316A,?,?), ref: 002131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0021316A,?,?), ref: 00213204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00213227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0021316A,?,?), ref: 00213232
CreatePopupMenu.USER32 ref: 00213246
PostQuitMessage.USER32(00000000), ref: 00213267

Strings

TaskbarCreated, xrefs: 0021322D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 58b15798369ead9ad3d4c7925f2ae13fcc04e10b53866cf3ae3e6b01f4b20943
Instruction ID: 583b74827b2b6ab0e39cb760329395792c70764ff370d0d7a9a71e6593739b5d
Opcode Fuzzy Hash: 58b15798369ead9ad3d4c7925f2ae13fcc04e10b53866cf3ae3e6b01f4b20943
Instruction Fuzzy Hash: D04118312B0245A7DB15AF78AC4DBF936DAE726340F140135F906852E1CBB19EF49BA1

Function 00211410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00211459
CoUninitialize.COMBASE ref: 002114F8
UnregisterHotKey.USER32(?), ref: 002116DD
DestroyWindow.USER32(?), ref: 002524B9
FreeLibrary.KERNEL32(?), ref: 0025251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0025254B

Strings

close all, xrefs: 00211454

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 44714ad11443abf562f25e87aed5692495274c277e106fe51c359b57ea841db7
Instruction ID: b41c93daa9cdd087f747ec850bb0df38dd3aea529df270c077a6685c79dbaac2
Opcode Fuzzy Hash: 44714ad11443abf562f25e87aed5692495274c277e106fe51c359b57ea841db7
Instruction Fuzzy Hash: 4FD1BD30721222CFCB19EF14C599B69F7A4BF16700F6441ADE94A6B291DB30AC7ACF54

Function 00212C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00212C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00212CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00211CAD,?), ref: 00212CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00211CAD,?), ref: 00212CCF

Strings

edit, xrefs: 00212CAC
AutoIt v3, xrefs: 00212C89, 00212C8E, 00212C8F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: be5c15d4343972d6f7f5d2a026ab279b493098584cd8e405c86a37ed04497b8a
Instruction ID: 0515c94cba2769057f4efad9c8dae9e3b6ff773fb6c8cca9fae3f403127e53d2
Opcode Fuzzy Hash: be5c15d4343972d6f7f5d2a026ab279b493098584cd8e405c86a37ed04497b8a
Instruction Fuzzy Hash: 31F0DA755802D07BEB311717BC8CE776FBDD7C7F50B1000AAF900AA5A0C6711861DAB0

Function 00213B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00213B0F,SwapMouseButtons,00000004,?), ref: 00213B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00213B0F,SwapMouseButtons,00000004,?), ref: 00213B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00213B0F,SwapMouseButtons,00000004,?), ref: 00213B83

Strings

Control Panel\Mouse, xrefs: 00213B3E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fc28918cf4dbf8bcebf709989fae1f49deb6b7d1613504cbcce4a49d33dfd76a
Instruction ID: 63d65937bec4ac696d65e6d35c5ce4df387746fdf52b08e9acf0c0de9932a7ee
Opcode Fuzzy Hash: fc28918cf4dbf8bcebf709989fae1f49deb6b7d1613504cbcce4a49d33dfd76a
Instruction Fuzzy Hash: 04115AB1524209FFDB20CFA4DC48AEFB7F9EF11748B104469A805D7210E6319F949760

Function 00213923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002533A2

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00213A04

Strings

Line: , xrefs: 002533EB

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 8ab130890dc5b23f9fa6801ad47ffdbaea416462d16604af0f3ce09e66c5269e
Instruction ID: a7084db38a39b34c6b0b6184a99146213df29897856c01a05ba43bf50eb35fcb
Opcode Fuzzy Hash: 8ab130890dc5b23f9fa6801ad47ffdbaea416462d16604af0f3ce09e66c5269e
Instruction Fuzzy Hash: 9831C371468344AAC321EF20EC49BEFB7D8AF54710F10456AF59993191DB709AA8CBC6

Function 00212DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00252C8C

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

Part of subcall function 00212DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00212DC4

Strings

`e-, xrefs: 00252C85
X, xrefs: 00252C5A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e-
API String ID: 779396738-4103291849
Opcode ID: 54abb68aaba519649c14ae3e3b646b693d2128993dc2e226e9098f71448a8f32
Instruction ID: 1e07cd88ba7b0adc5977d5da939ede8118732a9a7b16b4c745f60f474521c986
Opcode Fuzzy Hash: 54abb68aaba519649c14ae3e3b646b693d2128993dc2e226e9098f71448a8f32
Instruction Fuzzy Hash: 0A21D570A20298DFCB01EF94D849BEE7BF8AF59305F00405AE405B7241DBB49AAD8F61

Function 0022FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00230668

Part of subcall function 002332A4: RaiseException.KERNEL32(?,?,?,0023068A,?,002E1444,?,?,?,?,?,?,0023068A,00211129,002D8738,00211129), ref: 00233304

__CxxThrowException@8.LIBVCRUNTIME ref: 00230685

Strings

Unknown exception, xrefs: 00230692

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 715207dc3da3bdeded64e31151b60b67563e0bb397b4cc9c63206883733c9590
Instruction ID: 3ffd39be4ae7ac3ef376eca598717b9e55711b0b404cca2784b28193419f5991
Opcode Fuzzy Hash: 715207dc3da3bdeded64e31151b60b67563e0bb397b4cc9c63206883733c9590
Instruction Fuzzy Hash: F7F0AFA492020E77CB00BAA4E896C9E777C6E01310FA04571B92496595EF71EA758D90

Function 002110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00211BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00211BF4
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00211BFC
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00211C07
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00211C12
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00211C1A
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00211C22

Part of subcall function 00211B4A: RegisterWindowMessageW.USER32(00000004,?,002112C4), ref: 00211BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0021136A
OleInitialize.OLE32 ref: 00211388
CloseHandle.KERNEL32(00000000,00000000), ref: 002524AB

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: dd0d5f70f9c04b4e0552ab05cf0977672bf1653a8b2cfc95a3ce42f96e9a7806
Instruction ID: 72f124cb969b68c8d878e80284faf51f5e7100ccc51fa12bdbbbb25446a5c5fe
Opcode Fuzzy Hash: dd0d5f70f9c04b4e0552ab05cf0977672bf1653a8b2cfc95a3ce42f96e9a7806
Instruction Fuzzy Hash: 2F7180B49A13C18FD784DF7AB9C96A93AE4FB99344394413AD40ACB3A1EB3044B5CF51

Function 0027C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00213923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00213A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0027C259
KillTimer.USER32(?,00000001,?,?), ref: 0027C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0027C270

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 446f84002e7d3d55100f8d837716f27ecb5a872c0e298f70539146f77fda0921
Instruction ID: 62b9d35f70e8adc5705e42b5c6ca67a8901f67235ddaa72e3a2cd84ea49214b5
Opcode Fuzzy Hash: 446f84002e7d3d55100f8d837716f27ecb5a872c0e298f70539146f77fda0921
Instruction Fuzzy Hash: C431B170914354AFEB22CF749899BE7BBECAB06304F10449ED69EA7242C7745A84CB51

Function 002486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002485CC,?,002D8CC8,0000000C), ref: 00248704
GetLastError.KERNEL32(?,002485CC,?,002D8CC8,0000000C), ref: 0024870E
__dosmaperr.LIBCMT ref: 00248739

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 877e8e73f19cacfde6eca087cc69cde6959f722039de1d3664405e2ce45a220a
Instruction ID: 2951c5aef96608812d10f05161ea9d973d640253f2745b4340211f5dbdd56c3e
Opcode Fuzzy Hash: 877e8e73f19cacfde6eca087cc69cde6959f722039de1d3664405e2ce45a220a
Instruction Fuzzy Hash: D8012B33A3567027D6AD6A346889B7E6B4D4B82774F3A0199F9188B1D3DEA0CCE18550

Function 0021DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0021DB7B
DispatchMessageW.USER32(?), ref: 0021DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0021DB9F
Sleep.KERNELBASE(0000000A), ref: 0021DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00261CC9

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 1a05b768851b0b1b39e6403e40e21f0e6d3f7e2903c2304527ce184168782be3
Instruction ID: 47f8ddb5008d944c4fbdd4ad4a3a479de928022c792e25035eb9bec039f5c8cc
Opcode Fuzzy Hash: 1a05b768851b0b1b39e6403e40e21f0e6d3f7e2903c2304527ce184168782be3
Instruction Fuzzy Hash: F0F05430554341DBE730CB609C49FDA73ECEB55310F504525E60A830C0DF30A4A4DB16

Function 00221310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002217F6

Strings

CALL, xrefs: 002217C6

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 986dc2abfe9973f3efda327520b8d0140d040a0b03265fa909fb4b8efb92ae5d
Instruction ID: b2c8e2e3669a21f9443cfc41d016cfc244b4f6a8ee6dd5c5cb3e6ddf07d7e77b
Opcode Fuzzy Hash: 986dc2abfe9973f3efda327520b8d0140d040a0b03265fa909fb4b8efb92ae5d
Instruction Fuzzy Hash: 78229970628212AFC714DF54E484E2ABBF1AF95304F64896DF4868B361D771E8B1CF82

Function 00213837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00213908

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 94eabaf00cb47e20b69eb58860424d1e47586f8afe1b51d3eede61c095445f46
Instruction ID: 1e7caa32de71dde219151310583f75739e5ede4b272ffaa2f13507e3632cfa55
Opcode Fuzzy Hash: 94eabaf00cb47e20b69eb58860424d1e47586f8afe1b51d3eede61c095445f46
Instruction Fuzzy Hash: 9331A2B0614301DFD721DF24D8887D7BBE8FB59708F00096EF99997240E7B1AAA4CB52

Function 0022F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0022F661

Part of subcall function 0021D730: GetInputState.USER32 ref: 0021D807

Sleep.KERNEL32(00000000), ref: 0026F2DE

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d2d998b95fca61cf050d0e6a46638ec45d11695061da01d508b12408d4c62166
Instruction ID: 45e511ebc22d55315f671e13244018e16818282309131207a16ed27e584bc442
Opcode Fuzzy Hash: d2d998b95fca61cf050d0e6a46638ec45d11695061da01d508b12408d4c62166
Instruction Fuzzy Hash: E4F08C31250215AFD354EF79E949BAAB7F9EF56760F00002AE859C72A0EB70A850CF90

Function 00214ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00214E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E9C
Part of subcall function 00214E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00214EAE
Part of subcall function 00214E90: FreeLibrary.KERNEL32(00000000,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EFD

Part of subcall function 00214E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E62
Part of subcall function 00214E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00214E74
Part of subcall function 00214E59: FreeLibrary.KERNEL32(00000000,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E87

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 05c16a90b64dafc0dad753ef26673ccc65a1c3de36107b3a9f72864e8e63831c
Instruction ID: 60601c0bad47d4fcdeab0b26c271062d35323dfb2e89f5523c83089a4d7d3f15
Opcode Fuzzy Hash: 05c16a90b64dafc0dad753ef26673ccc65a1c3de36107b3a9f72864e8e63831c
Instruction Fuzzy Hash: 92110431630205ABCF10FF60D802BEE77E49F60715F20442AF446AA2C1DE749AA59B50

Function 00248402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00248440

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 9b1e20d357f84c23ab3ec0187accd54887513bafd4253588253ead5b7e52d57e
Instruction ID: 167ca451bf2fd2b699cc7c70644c00b6d8462be1a6639173d1422cde69389a47
Opcode Fuzzy Hash: 9b1e20d357f84c23ab3ec0187accd54887513bafd4253588253ead5b7e52d57e
Instruction Fuzzy Hash: AB11187591410AAFCB09DF58E98199E7BF5EF48314F144059FC08AB312DA31EA21CBA5

Function 00245000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00244C7D: RtlAllocateHeap.NTDLL(00000008,00211129,00000000,?,00242E29,00000001,00000364,?,?,?,0023F2DE,00243863,002E1444,?,0022FDF5,?), ref: 00244CBE

_free.LIBCMT ref: 0024506C

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 2eb01e6a4d5cc4336b4406e2eaa475b9bd2dab29ca5adf5d84162f8952053c47
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: A6012676214705ABE3258E65D881A9AFBE9FB89370F65051DE1C483281EA70A805CAB4

Function 0023E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9d218cd255104d0fb51b36a3b63983385fe35861ca83565b73faad6888678638
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 32F028B2530A14D7DF353E6A9C06B5B339C9F52335F12071AF920971D2CB70D8298EA5

Function 00244C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00211129,00000000,?,00242E29,00000001,00000364,?,?,?,0023F2DE,00243863,002E1444,?,0022FDF5,?), ref: 00244CBE

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d2f429c324d6b89c9db48833917326ade2f70f6d96fb8e115661ea9532ae79fc
Instruction ID: 2ea184a8c0d6286883addbcfdac7195d847100242985dd379999a348518bb76b
Opcode Fuzzy Hash: d2f429c324d6b89c9db48833917326ade2f70f6d96fb8e115661ea9532ae79fc
Instruction Fuzzy Hash: 0EF0E931632225A7DB297F62EC89B5B3788BF417A1F1C4123FC19AA190CA70D8304AE0

Function 00243820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 32d4f6a24b633776fa06f48f4e94b4a8e46a33ca6f6607cdce7cd02d738112c2
Instruction ID: 185ad9c37776bcef0ee58cd49e8f00a044a8b51f54b9963bd98912fdc0ff493f
Opcode Fuzzy Hash: 32d4f6a24b633776fa06f48f4e94b4a8e46a33ca6f6607cdce7cd02d738112c2
Instruction Fuzzy Hash: 36E02B3253022697D735BE77AC04B9BB74AAF427B0F150032BC1496490DB61ED3189E0

Function 00214F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214F6D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5a3750ff484e68faafd7134df16130e564832ab61d2e6c911a167d3ca13f9306
Instruction ID: 4aa9761a5f0506d43a5ae5df6848478c1409a65839848d995dee946fe344f535
Opcode Fuzzy Hash: 5a3750ff484e68faafd7134df16130e564832ab61d2e6c911a167d3ca13f9306
Instruction Fuzzy Hash: 6AF0A070125302CFCB34AF20D490892B7E4FF20319320897EE1DE86A10C7319899DF00

Function 002A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002A2A66

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b99a6a60f16164f56166bbd49650451e7b11d0fd01fa2519dc059432b40af5f1
Instruction ID: 01f1014828da1a720c6b299f08a10f8abe263cc148b0df1036af06c12bdcbb50
Opcode Fuzzy Hash: b99a6a60f16164f56166bbd49650451e7b11d0fd01fa2519dc059432b40af5f1
Instruction Fuzzy Hash: AAE04F36371216EFC754FA34EC809FA735CEB51395B104536AD2AD2141DF3099B99AA0

Function 002130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0021314E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ec7ff2ac3fdc1883173dda95054bcf20432b96a2e65f62429106a9a838e19a97
Instruction ID: 6189a945b664f9fc33328d7ee180d8784d6f0f891e5d5d5f7b5c34a4164c8c1e
Opcode Fuzzy Hash: ec7ff2ac3fdc1883173dda95054bcf20432b96a2e65f62429106a9a838e19a97
Instruction Fuzzy Hash: 14F03770A543549FE752DF24EC897D57BFCA705708F0000E5A54896191DB7457D8CF51

Function 00212DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00212DC4

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 7e502d757d682a90ac21ed3f62666d674ffb5639456cf943fbb9903ebd32d7b3
Instruction ID: 27301cd435283ad3238cc8fab5b61120867e6bed3f134b9e35397e03bd5c5815
Opcode Fuzzy Hash: 7e502d757d682a90ac21ed3f62666d674ffb5639456cf943fbb9903ebd32d7b3
Instruction Fuzzy Hash: E1E0CD726042245BC72092589C09FEA77DDDFC8790F050071FD09E7248D970AD948950

Function 00212B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00213837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00213908

Part of subcall function 0021D730: GetInputState.USER32 ref: 0021D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00212B6B

Part of subcall function 002130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0021314E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 0945fc1684743a0cd1520fd6e67c1a3fa652e24cb051a38958dd266e45f1b126
Instruction ID: 779b4a871edb0532a56f7e0c205b4a1a660b2f01f1aac0f523ad737b3d7ae1cb
Opcode Fuzzy Hash: 0945fc1684743a0cd1520fd6e67c1a3fa652e24cb051a38958dd266e45f1b126
Instruction Fuzzy Hash: F7E0263132424403CA04FB30B8565EDA3DA8BF5311F40043EF142872A2CE208AF94B52

Function 0025039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00250704,?,?,00000000,?,00250704,00000000,0000000C), ref: 002503B7

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ea445002bde49c3bab3b454ef7d9199a287928bad6714478596c5aa06edc7ead
Instruction ID: baf01df59aeb1f0ddb872ee9a0a888fd997e8c638a3b74c3c9c3c5667d799167
Opcode Fuzzy Hash: ea445002bde49c3bab3b454ef7d9199a287928bad6714478596c5aa06edc7ead
Instruction Fuzzy Hash: 34D06C3214020DBBDF028F84ED06EDA3BAAFB48714F114000BE1856020CB36E821AB90

Function 00211CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00211CBC

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 9d8edaa66bf0d57f85305a81de76b189912025cc34347705034425a56d15a6a1
Instruction ID: b8d2a3d7b9bf0a8ebf5aab62fa176ab5279e0799d613d512b71a994a616bb274
Opcode Fuzzy Hash: 9d8edaa66bf0d57f85305a81de76b189912025cc34347705034425a56d15a6a1
Instruction Fuzzy Hash: CBC09B352C0344DFF2144780BD8EF107754E348B00F944001F6097D5E3C7B11820D650

Non-executed Functions

Function 002A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 002A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002A96C9
SendMessageW.USER32 ref: 002A96F2
GetKeyState.USER32(00000011), ref: 002A978B
GetKeyState.USER32(00000009), ref: 002A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002A97AE
GetKeyState.USER32(00000010), ref: 002A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002A97E9
SendMessageW.USER32 ref: 002A9810
SendMessageW.USER32(?,00001030,?,002A7E95), ref: 002A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002A9941
SetCapture.USER32(?), ref: 002A994A
ClientToScreen.USER32(?,?), ref: 002A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002A99D6
ReleaseCapture.USER32 ref: 002A99E1
GetCursorPos.USER32(?), ref: 002A9A19
ScreenToClient.USER32(?,?), ref: 002A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 002A9A80
SendMessageW.USER32 ref: 002A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 002A9AEB
SendMessageW.USER32 ref: 002A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002A9B4A
GetCursorPos.USER32(?), ref: 002A9B68
ScreenToClient.USER32(?,?), ref: 002A9B75
GetParent.USER32(?), ref: 002A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 002A9BFA
SendMessageW.USER32 ref: 002A9C2B
ClientToScreen.USER32(?,?), ref: 002A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 002A9CDE
SendMessageW.USER32 ref: 002A9D01
ClientToScreen.USER32(?,?), ref: 002A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002A9D82

Part of subcall function 00229944: GetWindowLongW.USER32(?,000000EB), ref: 00229952

GetWindowLongW.USER32(?,000000F0), ref: 002A9E05

Strings

p#., xrefs: 002A9990
@GUI_DRAGID, xrefs: 002A997D
F, xrefs: 002A9D07

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#.
API String ID: 3429851547-937396290
Opcode ID: a1a5f1595924ff8359a1c2b7bfb224fd3781551a97604a58a576c8cadaa1e73a
Instruction ID: 6afb493ba5878830b353c114947476335c2776e8426238414fad6b4f180f3f4c
Opcode Fuzzy Hash: a1a5f1595924ff8359a1c2b7bfb224fd3781551a97604a58a576c8cadaa1e73a
Instruction Fuzzy Hash: 3D42AF34614241AFD724CF25DC88EAABBE9FF8A710F200619F659872A1DB71D8B4CF51

Function 002A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 002A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 002A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 002A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 002A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 002A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 002A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002A4A7E
IsMenu.USER32(?), ref: 002A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002A4B20
GetWindowLongW.USER32(?,000000F0), ref: 002A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 002A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 002A4C82
wsprintfW.USER32 ref: 002A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 002A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 002A4D5A

Strings

%d/%02d/%02d, xrefs: 002A4CA8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 53dd1b2a1e2571d4647a73cd274378dd56744a1a7c23eaff7dcf731fd1152ff5
Instruction ID: 95699d8ac82c11b9496c22f32373367133e119846621792dd646ee06b18a2513
Opcode Fuzzy Hash: 53dd1b2a1e2571d4647a73cd274378dd56744a1a7c23eaff7dcf731fd1152ff5
Instruction Fuzzy Hash: CA120231620215AFEB25AF24DC49FAE7BF8AF86710F104129F915EA2E1DFB4D950CB50

Function 0022F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0022F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0026F474
IsIconic.USER32(00000000), ref: 0026F47D
ShowWindow.USER32(00000000,00000009), ref: 0026F48A
SetForegroundWindow.USER32(00000000), ref: 0026F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0026F4AA
GetCurrentThreadId.KERNEL32 ref: 0026F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0026F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0026F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0026F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0026F4DE
SetForegroundWindow.USER32(00000000), ref: 0026F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026F4F6
keybd_event.USER32(00000012,00000000), ref: 0026F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026F50B
keybd_event.USER32(00000012,00000000), ref: 0026F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026F519
keybd_event.USER32(00000012,00000000), ref: 0026F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026F528
keybd_event.USER32(00000012,00000000), ref: 0026F52D
SetForegroundWindow.USER32(00000000), ref: 0026F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0026F557

Strings

Shell_TrayWnd, xrefs: 0026F46F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: afa36b9fd4189ff6c69c8206e7344af2c5506cbc171225bf1f539748a85a0742
Instruction ID: 2ed562cbe86142a877f1c3d2525f5205a6bac9966ea00637ee42536400f6d613
Opcode Fuzzy Hash: afa36b9fd4189ff6c69c8206e7344af2c5506cbc171225bf1f539748a85a0742
Instruction Fuzzy Hash: 35313E71A50218BBEF206FB56D4AFBF7E6CEB45B50F200065FA01F61D1CAB15D50AA60

Function 00271201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027170D
Part of subcall function 002716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027173A
Part of subcall function 002716C3: GetLastError.KERNEL32 ref: 0027174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00271286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002712A8
CloseHandle.KERNEL32(?), ref: 002712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002712D1
GetProcessWindowStation.USER32 ref: 002712EA
SetProcessWindowStation.USER32(00000000), ref: 002712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00271310

Part of subcall function 002710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002711FC), ref: 002710D4
Part of subcall function 002710BF: CloseHandle.KERNEL32(?,?,002711FC), ref: 002710E9

Strings

Z-, xrefs: 00271392
default, xrefs: 0027130B
, xrefs: 0027125A
winsta0, xrefs: 002712CC

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z-
API String ID: 22674027-3054849001
Opcode ID: 9bd530b82798496b6aaa67c59a9b3d977d1447c93785df6c9bacc9333a67c673
Instruction ID: 6cd19b745ef50f7d26400e0bfd3eacf1f0120e0859a5cedc86557a29380135d7
Opcode Fuzzy Hash: 9bd530b82798496b6aaa67c59a9b3d977d1447c93785df6c9bacc9333a67c673
Instruction Fuzzy Hash: 5281AF7191020AAFDF219FA8DC49FEE7BB9EF05704F148129F918A61A0DB708964CF60

Function 00270B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00271114
Part of subcall function 002710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271120
Part of subcall function 002710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 0027112F
Part of subcall function 002710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271136
Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00270BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00270C00
GetLengthSid.ADVAPI32(?), ref: 00270C17
GetAce.ADVAPI32(?,00000000,?), ref: 00270C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00270C6D
GetLengthSid.ADVAPI32(?), ref: 00270C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00270C8C
HeapAlloc.KERNEL32(00000000), ref: 00270C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00270CB4
CopySid.ADVAPI32(00000000), ref: 00270CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00270CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00270D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00270D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270D45
HeapFree.KERNEL32(00000000), ref: 00270D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270D55
HeapFree.KERNEL32(00000000), ref: 00270D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270D65
HeapFree.KERNEL32(00000000), ref: 00270D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00270D78
HeapFree.KERNEL32(00000000), ref: 00270D7F

Part of subcall function 00271193: GetProcessHeap.KERNEL32(00000008,00270BB1,?,00000000,?,00270BB1,?), ref: 002711A1
Part of subcall function 00271193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00270BB1,?), ref: 002711A8
Part of subcall function 00271193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00270BB1,?), ref: 002711B7

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b56a1218e9f42137b3874696181422bfe70dcab77d8c667182e2f3c1a2e0dc07
Instruction ID: 8ad556af6feab6ce9997c9092dc9f885812e84f4832ecaa8e5875e82bc0fe313
Opcode Fuzzy Hash: b56a1218e9f42137b3874696181422bfe70dcab77d8c667182e2f3c1a2e0dc07
Instruction Fuzzy Hash: 84715E7191020AEBDF10DFA4DC89FAEBBB8FF05310F148525F919A6291DB71A919CF60

Function 0028EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002ACC08), ref: 0028EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0028EB37
GetClipboardData.USER32(0000000D), ref: 0028EB43
CloseClipboard.USER32 ref: 0028EB4F
GlobalLock.KERNEL32(00000000), ref: 0028EB87
CloseClipboard.USER32 ref: 0028EB91
GlobalUnlock.KERNEL32(00000000), ref: 0028EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0028EBC9
GetClipboardData.USER32(00000001), ref: 0028EBD1
GlobalLock.KERNEL32(00000000), ref: 0028EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0028EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0028EC38
GetClipboardData.USER32(0000000F), ref: 0028EC44
GlobalLock.KERNEL32(00000000), ref: 0028EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0028EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0028EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0028ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0028ECF3
CountClipboardFormats.USER32 ref: 0028ED14
CloseClipboard.USER32 ref: 0028ED59

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: b47f3396a2949740bf5953141ccf839dd1da4066c5ccaac03a0d80e35bf0eaea
Instruction ID: c4e8d7f1e38a0d444e582051ec53179d4493905a0befa21f3a36c837d3391b7e
Opcode Fuzzy Hash: b47f3396a2949740bf5953141ccf839dd1da4066c5ccaac03a0d80e35bf0eaea
Instruction Fuzzy Hash: 3161EE782143029FD700EF20D888F6AB7E8AF95714F194519F856872E2DF30D959CFA2

Function 0028698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002869BE
FindClose.KERNEL32(00000000), ref: 00286A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00286A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00286A75

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00286AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00286ADF

Strings

%02d, xrefs: 00286C00, 00286C0A, 00286C5A, 00286CAA, 00286CFA, 00286D4A
%4d, xrefs: 00286BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00286B32
%4d%02d%02d%02d%02d%02d, xrefs: 00286B6A
%03d, xrefs: 00286DA2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 6182303b19680c45ebd033aad3d48a5149a976a5d5ad1b7a5855b5681772edea
Instruction ID: 26ebaef20e0b2cc474a3bde585cf5a2f7e7243dcfe719507f80d523a83e32b60
Opcode Fuzzy Hash: 6182303b19680c45ebd033aad3d48a5149a976a5d5ad1b7a5855b5681772edea
Instruction Fuzzy Hash: 7BD16F72518300AFC314EBA0D895EAFB7ECAF98704F04492EF585D7191EB74DA94CB62

Function 00289642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00289663
GetFileAttributesW.KERNEL32(?), ref: 002896A1
SetFileAttributesW.KERNEL32(?,?), ref: 002896BB
FindNextFileW.KERNEL32(00000000,?), ref: 002896D3
FindClose.KERNEL32(00000000), ref: 002896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0028974A
SetCurrentDirectoryW.KERNEL32(002D6B7C), ref: 00289768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00289772
FindClose.KERNEL32(00000000), ref: 0028977F
FindClose.KERNEL32(00000000), ref: 0028978F

Strings

*.*, xrefs: 002896F5

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: ec834186ef073b227b9ff8d162f5016e21113984b9b21b18eaab3ce1f5daa090
Instruction ID: 898ad8c9159bcd1417db76adf9115c28ffd2b12cf9da9138a4ee90a821451c81
Opcode Fuzzy Hash: ec834186ef073b227b9ff8d162f5016e21113984b9b21b18eaab3ce1f5daa090
Instruction Fuzzy Hash: AA31B47652121A6BDB10AFB4EC0CAEE77AC9F4A320F184156E805E21D0EB30DD908B54

Function 0028979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 002897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00289819
FindClose.KERNEL32(00000000), ref: 00289824
FindFirstFileW.KERNEL32(*.*,?), ref: 00289840
SetCurrentDirectoryW.KERNEL32(?), ref: 00289890
SetCurrentDirectoryW.KERNEL32(002D6B7C), ref: 002898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002898B8
FindClose.KERNEL32(00000000), ref: 002898C5
FindClose.KERNEL32(00000000), ref: 002898D5

Part of subcall function 0027DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0027DB00

Strings

*.*, xrefs: 0028983B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 66ba20e1027f161f2b9710a1e03a5832a7fad76275368686edbd6c6804fbda08
Instruction ID: e66f2eafcb030a3f2aaca1957fea26586a33bc54d391b60e80aa37849f2e811f
Opcode Fuzzy Hash: 66ba20e1027f161f2b9710a1e03a5832a7fad76275368686edbd6c6804fbda08
Instruction Fuzzy Hash: 7731803551261B6BEF10AFA4EC48AEE77AC9F06324F284156E814A21D0DB70DEA4CF60

Function 0029BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0029C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029B6AE,?,?), ref: 0029C9B5
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029C9F1
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA68
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0029BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0029BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0029C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0029C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0029C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0029C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0029C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0029C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0029C382
RegCloseKey.ADVAPI32(00000000), ref: 0029C38F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 19fd448e46c0f9991814e4930a187293ad7d570ee0f504efb6ddb174803026b1
Instruction ID: 9a5c1f8e42675193b92186e2f5290a4e3de3de21207f831a1d11b9602d400af5
Opcode Fuzzy Hash: 19fd448e46c0f9991814e4930a187293ad7d570ee0f504efb6ddb174803026b1
Instruction Fuzzy Hash: 5D026D70614201AFDB14DF28C895E2ABBE5EF89314F18849DF84ACB2A2DB31EC55CF51

Function 00288195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00288257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00288267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00288273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00288310
SetCurrentDirectoryW.KERNEL32(?), ref: 00288324
SetCurrentDirectoryW.KERNEL32(?), ref: 00288356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0028838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00288395

Strings

*.*, xrefs: 0028839B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b286847d7fc5135ec358afc61ead52976c4592fba277458fb64505180d8f8e8c
Instruction ID: d7ab884ca754347354850512266e8b9d9c2afa675557839a7367c8dae3a85a12
Opcode Fuzzy Hash: b286847d7fc5135ec358afc61ead52976c4592fba277458fb64505180d8f8e8c
Instruction Fuzzy Hash: FF61ACB65243459FCB10EF20C8449AEB3E8FF89310F44885EF98983251EB31E965CF92

Function 0027D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

Part of subcall function 0027E199: GetFileAttributesW.KERNEL32(?,0027CF95), ref: 0027E19A

FindFirstFileW.KERNEL32(?,?), ref: 0027D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0027D1DD
MoveFileW.KERNEL32(?,?), ref: 0027D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0027D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0027D237

Part of subcall function 0027D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0027D21C,?,?), ref: 0027D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0027D253
FindClose.KERNEL32(00000000), ref: 0027D264

Strings

\*.*, xrefs: 0027D0CD, 0027D0D6, 0027D0EB

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9577f4b3683aa34deebdfd575dec9ed9e4140625f7f70513cbb766a9cf8026a5
Instruction ID: a54118f6fa08ef0dd937775ea9ceac2e33192f904335ae6911637aa506b30f2c
Opcode Fuzzy Hash: 9577f4b3683aa34deebdfd575dec9ed9e4140625f7f70513cbb766a9cf8026a5
Instruction Fuzzy Hash: DA617E3181114D9BCF05EFE0D9529EDB7B5AF25300F2480A5E80A77192EB316FA9CF60

Function 0028ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0028ED91
EmptyClipboard.USER32 ref: 0028ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0028EDAC
CloseClipboard.USER32 ref: 0028EEA3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fe4c36a41a3c9f4c551ce1e6a17de686481ca3eb81cbade733e65bec24517a38
Instruction ID: ee774e7a52bb267f5f7e0f8970b8b6ad821fefea6faeeb7c4a6702f44f4c2862
Opcode Fuzzy Hash: fe4c36a41a3c9f4c551ce1e6a17de686481ca3eb81cbade733e65bec24517a38
Instruction Fuzzy Hash: F841CF79215612AFD710EF15E888F19BBE5EF45328F25C099E4158B6A2CB31EC52CF90

Function 0027E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027170D
Part of subcall function 002716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027173A
Part of subcall function 002716C3: GetLastError.KERNEL32 ref: 0027174A

ExitWindowsEx.USER32(?,00000000), ref: 0027E932

Strings

@, xrefs: 0027E925
, xrefs: 0027E95C
SeShutdownPrivilege, xrefs: 0027E902
, xrefs: 0027E920

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: f9bbe3c6180fe11c4a66285237b9542f8ec5dc38336df8c6388d13cba8211ada
Instruction ID: bab577856d3a057f208f49c66238a399c7c93df93a1defbd28cc152803e8e6aa
Opcode Fuzzy Hash: f9bbe3c6180fe11c4a66285237b9542f8ec5dc38336df8c6388d13cba8211ada
Instruction Fuzzy Hash: 4901DB73630211EBEF542674AC89BBB725C9B18750F168462FE06E21D1DAB05C6086B0

Function 00291204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00291276
WSAGetLastError.WSOCK32 ref: 00291283
bind.WSOCK32(00000000,?,00000010), ref: 002912BA
WSAGetLastError.WSOCK32 ref: 002912C5
closesocket.WSOCK32(00000000), ref: 002912F4
listen.WSOCK32(00000000,00000005), ref: 00291303
WSAGetLastError.WSOCK32 ref: 0029130D
closesocket.WSOCK32(00000000), ref: 0029133C

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6ce9a9f2e9f8300048b9d258b30cfbc99bb9c3ef3b3ada305ce8b08ef779e9c5
Instruction ID: 144c91d78e7858ed054b337d569a20ed7e9d946651188019e3134c7f2a5d8ab9
Opcode Fuzzy Hash: 6ce9a9f2e9f8300048b9d258b30cfbc99bb9c3ef3b3ada305ce8b08ef779e9c5
Instruction Fuzzy Hash: 1E419231A101129FDB10EF25D488B69BBF6BF46318F288198D8568F2D6C775EC91CBE1

Function 0027D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

Part of subcall function 0027E199: GetFileAttributesW.KERNEL32(?,0027CF95), ref: 0027E19A

FindFirstFileW.KERNEL32(?,?), ref: 0027D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0027D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0027D481
FindClose.KERNEL32(00000000), ref: 0027D498
FindClose.KERNEL32(00000000), ref: 0027D4A1

Strings

\*.*, xrefs: 0027D3F2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5ed2d4b41462922e62828f6d403b0e069f2f5dc7f4e5d9bef222cad33d2c66c0
Instruction ID: 30605bab8f5b54346aa228b64d2e8fec828e5840bfacd42620055cdb5d7f8659
Opcode Fuzzy Hash: 5ed2d4b41462922e62828f6d403b0e069f2f5dc7f4e5d9bef222cad33d2c66c0
Instruction Fuzzy Hash: 573192710283459BC300EF64D8658EF77E8BEA2310F44891DF4D552191EB30AA59DB63

Function 0024E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0024E645

Strings

1#SNAN, xrefs: 0024F844
1#QNAN, xrefs: 0024F84B
1#IND, xrefs: 0024F83D
1#INF, xrefs: 0024F852

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6ed72740656227169ae0293a133a3de193c6c532380852a36dd952860dd02c6f
Instruction ID: b6ff2753abe119c877b8b54b1dbaa8569ebfe60bed8149c4f7c14885a5937232
Opcode Fuzzy Hash: 6ed72740656227169ae0293a133a3de193c6c532380852a36dd952860dd02c6f
Instruction Fuzzy Hash: 63C23872E246298FDF69CE289D407EAB7B5FB84304F1541EAD84DE7240E774AE918F40

Function 0028648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002864DC
CoInitialize.OLE32(00000000), ref: 00286639
CoCreateInstance.OLE32(002AFCF8,00000000,00000001,002AFB68,?), ref: 00286650
CoUninitialize.OLE32 ref: 002868D4

Strings

.lnk, xrefs: 002864BA, 00286524, 002865E0

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 10f5b545aac0385c55835d68f96627a8810c109774c6463e03850aaf915e7639
Instruction ID: 8ca658d1ac5b6533b271f2ed024eb0b2f1bcd3f95d267cd2ce7628ed07c458d8
Opcode Fuzzy Hash: 10f5b545aac0385c55835d68f96627a8810c109774c6463e03850aaf915e7639
Instruction Fuzzy Hash: C3D17975528301AFC310EF24C8859ABB7E8FF98304F50496DF5958B2A1EB30ED59CB92

Function 002922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002922E8

Part of subcall function 0028E4EC: GetWindowRect.USER32(?,?), ref: 0028E504

GetDesktopWindow.USER32 ref: 00292312
GetWindowRect.USER32(00000000), ref: 00292319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00292355
GetCursorPos.USER32(?), ref: 00292381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002923DF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: e630619076ddf0237c2e4a92532b1fa9b20cf2bc5229e0a70a8997f0dbcdc198
Instruction ID: 92d820f0d036a023c4dcc5da5dbe189f259cc3d27733111442d398955f1ec852
Opcode Fuzzy Hash: e630619076ddf0237c2e4a92532b1fa9b20cf2bc5229e0a70a8997f0dbcdc198
Instruction Fuzzy Hash: 67310072504306AFDB20DF14DC09B5BBBADFF88310F100919F988A7181DB34EA18CB96

Function 00289B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00289B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00289C8B

Part of subcall function 00283874: GetInputState.USER32 ref: 002838CB
Part of subcall function 00283874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00283966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00289BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00289C75

Strings

*.*, xrefs: 00289B5D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 585748db7f2e0e373ffd375c608d719f4b42346970729b3c2544c5373e90883a
Instruction ID: 9327834e17a9402cd89175bdf63733336818939da07d3de1ec1ec88e5bd8e1bb
Opcode Fuzzy Hash: 585748db7f2e0e373ffd375c608d719f4b42346970729b3c2544c5373e90883a
Instruction Fuzzy Hash: 7741827591120AAFCF15EFA4C849AEE7BF4EF19310F244056E805A21D1EB319EE4CF60

Function 0022997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00229A4E
GetSysColor.USER32(0000000F), ref: 00229B23
SetBkColor.GDI32(?,00000000), ref: 00229B36

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: f7527c4cc2f5d01fca5c84194e1dd5bfbc3c3da39c3370e6cf6b239299bbc8ec
Instruction ID: ed180eb8977807faedbe87c208f613336862b157d004fe6d6caae91e79b2026c
Opcode Fuzzy Hash: f7527c4cc2f5d01fca5c84194e1dd5bfbc3c3da39c3370e6cf6b239299bbc8ec
Instruction Fuzzy Hash: 07A13770138561BEE729AEACBC98E7B269DDF43304F140219F402D6591CE659DF1C671

Function 00291806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029304E: inet_addr.WSOCK32(?), ref: 0029307A
Part of subcall function 0029304E: _wcslen.LIBCMT ref: 0029309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0029185D
WSAGetLastError.WSOCK32 ref: 00291884
bind.WSOCK32(00000000,?,00000010), ref: 002918DB
WSAGetLastError.WSOCK32 ref: 002918E6
closesocket.WSOCK32(00000000), ref: 00291915

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 1188f56b3dce7620b8590e9539d5105563f02a2672fafec472f29d647be5bc9e
Instruction ID: 705ca92d50a9ba48dd23a800e0d489c1e8c94aac3178949849dd17955b047ac8
Opcode Fuzzy Hash: 1188f56b3dce7620b8590e9539d5105563f02a2672fafec472f29d647be5bc9e
Instruction Fuzzy Hash: AE51E375A10210AFEB10AF24D88AF6AB7E5AF44718F148098F9155F3D3CB71ED61CBA1

Function 002A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002A1CC0
IsWindowEnabled.USER32 ref: 002A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 002A1CDB
IsIconic.USER32 ref: 002A1CE9
IsZoomed.USER32 ref: 002A1CF7

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 5697eadd9cd0b20ecd9243b6a08a25951b4f5077d0f8e5e44ad68a0d2906be97
Instruction ID: 317ec37c70687b41fa482f75921c61d2dd96266102fb0f451d510cabbe0aefbd
Opcode Fuzzy Hash: 5697eadd9cd0b20ecd9243b6a08a25951b4f5077d0f8e5e44ad68a0d2906be97
Instruction Fuzzy Hash: 5821E7317506119FD7208F1AD844B667BE6EF96334F28805AE846CB351CF71DC62CB91

Function 00218060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0021813C
VUUU, xrefs: 00255DF0
VUUU, xrefs: 002183FA
VUUU, xrefs: 002183E8
VUUU, xrefs: 0021843C

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 4435246b69d78788ac4040c38a2ac2c11d740a8ec452b57b5d4d55799c83ff20
Instruction ID: 9ff60f7a1cb02dc6ed5bf0175705a5daeba9c298f70dd20d45cd25dad75036fa
Opcode Fuzzy Hash: 4435246b69d78788ac4040c38a2ac2c11d740a8ec452b57b5d4d55799c83ff20
Instruction Fuzzy Hash: 80A2BF70E2021ACBDF24CF58C8947EDB3B1BB64311F64819AEC15A7284EB709DE5CB94

Function 00278298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002782AA

Strings

|, xrefs: 002782DA
(, xrefs: 002782F0
tb-, xrefs: 002784F4

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb-$|
API String ID: 1659193697-4172324640
Opcode ID: 18171fffadd44bb2d2f0a3b9e5111f68e8079da55dc3dcb3dbaa5ce35e62633b
Instruction ID: 9f0eac93659cb08195943896d1b28ce548a3453ab843949e769010ad8c030c90
Opcode Fuzzy Hash: 18171fffadd44bb2d2f0a3b9e5111f68e8079da55dc3dcb3dbaa5ce35e62633b
Instruction Fuzzy Hash: 34324774A107069FCB28CF59C08596AB7F0FF48710B15C56EE49ADB7A1EB70E951CB40

Function 0027AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0027AAAC
SetKeyboardState.USER32(00000080), ref: 0027AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0027AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0027AB88

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4922138acab110877c0c034e6c8dd5ce254f72a1edd92a22304851d8520de795
Instruction ID: 7aaecf49d6ae20f5070db603f6d22c889290e6f01279902722b918fa04f9b398
Opcode Fuzzy Hash: 4922138acab110877c0c034e6c8dd5ce254f72a1edd92a22304851d8520de795
Instruction Fuzzy Hash: 1D311730A60209AFEB25CE64C805BFE77A6ABE5334F14D21AF189521D0D77489A1C752

Function 0024BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0024BB7F

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

GetTimeZoneInformation.KERNEL32 ref: 0024BB91
WideCharToMultiByte.KERNEL32(00000000,?,002E121C,000000FF,?,0000003F,?,?), ref: 0024BC09
WideCharToMultiByte.KERNEL32(00000000,?,002E1270,000000FF,?,0000003F,?,?,?,002E121C,000000FF,?,0000003F,?,?), ref: 0024BC36

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 93ec2c40e107a9c766ccd56aa9e516fb0dd7b2d82633a8478b6199c6082e6d72
Instruction ID: b75cb83e2c3cbfc55b7d6d5938e610580fd0e6116ab5daabf365539fc7a17555
Opcode Fuzzy Hash: 93ec2c40e107a9c766ccd56aa9e516fb0dd7b2d82633a8478b6199c6082e6d72
Instruction Fuzzy Hash: 9031F370954256DFCB1ADF69ECC482DBBB8FF4631071446AAE910DB2A1D730DD61CB60

Function 0028CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0028CE89
GetLastError.KERNEL32(?,00000000), ref: 0028CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0028CEFE

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 1d0da96e24f8a25df185d2efc706289027424876b09971793f4329ad4bfa4aa0
Instruction ID: 22312d17f8614a1ff785c1af202eccc6f4b075f601ad8c1bcb2639fac22ba225
Opcode Fuzzy Hash: 1d0da96e24f8a25df185d2efc706289027424876b09971793f4329ad4bfa4aa0
Instruction Fuzzy Hash: 7221CFB5521306ABEB30EF65D948BA7B7FCEB50314F20442EE646D2191EB74EE148F60

Function 00285C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00285CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00285D17
FindClose.KERNEL32(?), ref: 00285D5F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e88002d734bd777b80edaebdc0c8b400ac1d131049e2aced04b453208686f4cd
Instruction ID: 2b8f0068cf5bd13d5e6b4dfb87201f4a4f5f04f36a90a15b50c75e9a41db0575
Opcode Fuzzy Hash: e88002d734bd777b80edaebdc0c8b400ac1d131049e2aced04b453208686f4cd
Instruction Fuzzy Hash: 8E51BC786146029FC714DF28C484E96B7E4FF4A314F14855EE95A8B3A2CB30ED64CF91

Function 00242622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0024271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00242724
UnhandledExceptionFilter.KERNEL32(?), ref: 00242731

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 14fd6687245d2bf9667710d862eb3d2b010f8b1676dcdeb588643f7ec9c1ffbd
Instruction ID: b85e87645019ec2925a4ec7fa819e7e8a09cfbb8344e0b8862d071c02a5b5bde
Opcode Fuzzy Hash: 14fd6687245d2bf9667710d862eb3d2b010f8b1676dcdeb588643f7ec9c1ffbd
Instruction Fuzzy Hash: 6531D57491121D9BCB21DF64DD887DCBBB8AF08310F5041EAE80CA7260EB309F958F44

Function 002851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00285238
SetErrorMode.KERNEL32(00000000), ref: 002852A1

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4b48a2080170cf7aacc57ba9e99d9ae6f9bb136f13e0d2ab11161ea7005eb58c
Instruction ID: 2c19c4d6e157c73c1b3dcbe50496baed4ac2797b205e95ea86fc943f998df34a
Opcode Fuzzy Hash: 4b48a2080170cf7aacc57ba9e99d9ae6f9bb136f13e0d2ab11161ea7005eb58c
Instruction Fuzzy Hash: 2B314F75A10518DFDB00DF54D888EADBBF4FF49314F148099E8099B3A6DB31E856CB50

Function 002716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0022FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00230668
Part of subcall function 0022FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00230685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027173A
GetLastError.KERNEL32 ref: 0027174A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 7fe4089790d4e74bf9e840fc8bf9a6ed4bd8121b6f015543a2cb2fae16018fcf
Instruction ID: 71526911a19d54129504eb780207cb9ec1a28e43f6a485050dbfc168d9fb4f26
Opcode Fuzzy Hash: 7fe4089790d4e74bf9e840fc8bf9a6ed4bd8121b6f015543a2cb2fae16018fcf
Instruction Fuzzy Hash: C61191B2424305BFD7189F54EC86D6BB7BDEF45714B20C56EF05657241EB70BC618A20

Function 0027D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0027D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0027D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0027D650

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 848456fc179d357fe1ee47325f6eef4642c790e4c7b4f16ab40b5483b9492ca5
Instruction ID: fc6a81c3369f35ab7e1d606b71ed3701916a5c232774a3009e559b5874338cad
Opcode Fuzzy Hash: 848456fc179d357fe1ee47325f6eef4642c790e4c7b4f16ab40b5483b9492ca5
Instruction Fuzzy Hash: C5116175E05228BFDB108F95EC49FAFBFBCEB45B50F108155F908E7290D6704A058BA1

Function 00271663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0027168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002716A1
FreeSid.ADVAPI32(?), ref: 002716B1

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 33c6148f5416482cb1b6e3f7bd11b0b25be6c06979b23af07ce2b0276050a46c
Instruction ID: b1d22248fbb7fedb4fa22c9e4da0302845a70e491121ee964fdd6716ed2b6a81
Opcode Fuzzy Hash: 33c6148f5416482cb1b6e3f7bd11b0b25be6c06979b23af07ce2b0276050a46c
Instruction Fuzzy Hash: 26F0F47195030DFBDB00DFE49C89AAEBBBCEB08604F608565E501E2181E774AA448A50

Function 0026D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0026D28C

Strings

X64, xrefs: 0026D2A8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2ac6dc8aa9446ed32d07386747c7d0f67484d8f408d99116242a383f12f73cb9
Instruction ID: 35d64401a73fb36544bacfe4ac377f200263269887baf330721c2f331ead62e6
Opcode Fuzzy Hash: 2ac6dc8aa9446ed32d07386747c7d0f67484d8f408d99116242a383f12f73cb9
Instruction Fuzzy Hash: C3D0C9B482516DEBCB90CB90EC88DD9B37CBB04305F100151F506A2000DB7096488F10

Function 0023CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: bf09ed8c9746f99418ebe908a1f45a77062fc60f4a97dd1f4bbf4101515f712c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 53021DB2E102199FDF14CFA9C8806ADFBF5EF48324F25816AD819F7384D731A9518B94

Function 0021CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00260C40
p#., xrefs: 0021CF7F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#.
API String ID: 0-2365962978
Opcode ID: 2cb26a46ce2295552d22bd260c2ed247ab9b34166583e025f3b87ce98af46302
Instruction ID: c4bc6f724de54e7c7575e6462637e3283b11295eb3808ebc6d48451917c882fa
Opcode Fuzzy Hash: 2cb26a46ce2295552d22bd260c2ed247ab9b34166583e025f3b87ce98af46302
Instruction Fuzzy Hash: 2E32AE74960219DBCF14DF90D881AEEB7F5FF24304F20405AE806AB292D771AEA6DF50

Function 002868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00286918
FindClose.KERNEL32(00000000), ref: 00286961

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cb92780e3fd2d62d2ec6eb52ce89e3d25a4b76f46219c4e8d5c9fb03277b53c2
Instruction ID: 5938a820a7d811f1ca063cf194a096bf58ea478e7144e416c6e838d317ec93fc
Opcode Fuzzy Hash: cb92780e3fd2d62d2ec6eb52ce89e3d25a4b76f46219c4e8d5c9fb03277b53c2
Instruction Fuzzy Hash: E01190356142019FC710DF29D488A16BBE5FF85328F14C699E8698F7A2CB30EC55CB91

Function 002837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00294891,?,?,00000035,?), ref: 002837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00294891,?,?,00000035,?), ref: 002837F4

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: dc1d64555999c368520e0f2d12512daf45ca0a219d81a8cf0da919615b3fdb7a
Instruction ID: c5d6cc42b79fe6b086df1262d8e5f9467a83d855c4bafb169f1d10e1468b6bd6
Opcode Fuzzy Hash: dc1d64555999c368520e0f2d12512daf45ca0a219d81a8cf0da919615b3fdb7a
Instruction Fuzzy Hash: E3F0E5B46153292BEB2067669C4DFEB7AEEEFC5B61F000175F909D22C1D9A09D44CBB0

Function 0027B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0027B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0027B270

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 98cafa292266ad9cb427ec8a0df8dd0f2119e0ae2296bf3a245d0df7714cdc57
Instruction ID: da59271a75e726464f8446dd9b3cc857d2fe7ff626842db19ced525ae560d42c
Opcode Fuzzy Hash: 98cafa292266ad9cb427ec8a0df8dd0f2119e0ae2296bf3a245d0df7714cdc57
Instruction Fuzzy Hash: 4EF01D7181424EABDB059FA0D805BBE7BB4FF05309F10800AF955A5192C7798611DF94

Function 002710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002711FC), ref: 002710D4
CloseHandle.KERNEL32(?,?,002711FC), ref: 002710E9

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c4e4745175fe9e6f241bd09475edbdc06177417ff69e38220c65d83095a7e064
Instruction ID: eaffb27e65942f7342e1b3dcc0d55683ebf2dc44e56b8ab9721187d6ee9f48a8
Opcode Fuzzy Hash: c4e4745175fe9e6f241bd09475edbdc06177417ff69e38220c65d83095a7e064
Instruction Fuzzy Hash: 57E04F32028610BFE7252B51FD09E7377A9EF04310B20882DF4A6804B1DF626CA0DB10

Function 0024676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00246766,?,?,00000008,?,?,0024FEFE,00000000), ref: 00246998

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8cf31f1b94a2b8d07c86ca1add1d6356ceccac56186a76c73fbcb05a1e2dc65b
Instruction ID: 08beacb2ef623bd70fdd82722c9c9645b304022442204fbb4170fa81650a91f4
Opcode Fuzzy Hash: 8cf31f1b94a2b8d07c86ca1add1d6356ceccac56186a76c73fbcb05a1e2dc65b
Instruction Fuzzy Hash: 53B18C31620609CFD719CF28C48AB647BE0FF46364F25C658E899CF2A2C375E9A5CB41

Function 0022B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0026851F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3dd5f34b3248f46a47fbbd65347f5910078583e8689f94653514a5caafdcca3f
Instruction ID: 06d7625aabffd61325475633162f3145ce9230e803e39c5b8758c4d19437fdf5
Opcode Fuzzy Hash: 3dd5f34b3248f46a47fbbd65347f5910078583e8689f94653514a5caafdcca3f
Instruction Fuzzy Hash: D5127071D202299BCB25DF98D8906EEB7F5FF48310F14819AE849EB251DB709E91CF90

Function 0028EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0028EABD

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: dd4235acb02c4dad0fe73589f4883a4abf938ce12e46a7d367ce397005ac5a12
Instruction ID: 654c9aabeada4aeefafd31a354982f1a4a929a6420f140fde3506066dacb98db
Opcode Fuzzy Hash: dd4235acb02c4dad0fe73589f4883a4abf938ce12e46a7d367ce397005ac5a12
Instruction Fuzzy Hash: 73E048352202049FC710EF59D404D9AF7EDAF98760F118416FC45C7391DB70E8518F90

Function 002309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002303EE), ref: 002309DA

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ca02e44bc7d7eb8a85ddb4d5f7d139ac9f1d1ba55452736ccf3f90e736b90aee
Instruction ID: 05a9182b52d48c61eb8be5851d042debc891f78779f7f5dd471cd548cea9368e
Opcode Fuzzy Hash: ca02e44bc7d7eb8a85ddb4d5f7d139ac9f1d1ba55452736ccf3f90e736b90aee
Instruction Fuzzy Hash:

Function 0023781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0023798B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6084aecbe132c824ed6addc9d39ce936c67f67ad4439630084117d0e1ec7e9aa
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B7516CF163C7476BDF384D68445E7BE63D99B02300F180A1AE982DB282C655DE35F752

Function 00282046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&., xrefs: 00282053

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID: 0&.
API String ID: 0-3290608233
Opcode ID: e2bd9f59836ef480e1152d72a794c3f13bfcb921825691dcbc51e82ef50b11d0
Instruction ID: a2d997bc544fc6d9022ba513d93bf0a351408078762aa80738e1889bb1874412
Opcode Fuzzy Hash: e2bd9f59836ef480e1152d72a794c3f13bfcb921825691dcbc51e82ef50b11d0
Instruction Fuzzy Hash: F721EB32661611CBDB28CF79C85367E73E9A764310F15862EE4A7C77D0DE75A908CB80

Function 00246DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f9e7defc78e6c82488fd520e517ad57900ad331f23a3ff890ef3147ed693cc
Instruction ID: 394557d48c2abf37fa427b91834f267587b5edf3527eabd23eb58cd8d0e118b5
Opcode Fuzzy Hash: 22f9e7defc78e6c82488fd520e517ad57900ad331f23a3ff890ef3147ed693cc
Instruction Fuzzy Hash: 69324522D39F024DDB279A34DC26336A64DAFB73C5F15C737E82AB59A5EB28D4834100

Function 0022CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb18eadb11cd3972d5885ff0be33251cce0a3438de8d985364723b298362979
Instruction ID: c3c95aea608ec4dea549200be222215867ef0c57b022b54e653433f5ba90e59e
Opcode Fuzzy Hash: 9bb18eadb11cd3972d5885ff0be33251cce0a3438de8d985364723b298362979
Instruction Fuzzy Hash: B3321431A341569BCF28EFA8D49467D7BA1EB45304F38816BD4CACB2A1D630DEE1DB41

Function 00217920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360fce51320fd589dee7f88f07f095c91f478231333b4451f0459e212afd386f
Instruction ID: ed9603bcdb7b3f70ea9d0cf7039c60b8d428bd7f6b3ceb08d9f3de4efa2f392e
Opcode Fuzzy Hash: 360fce51320fd589dee7f88f07f095c91f478231333b4451f0459e212afd386f
Instruction Fuzzy Hash: 6722E2B0A2461AEFDF04CFA4D991AEEB3F5FF54300F104129E816A7290EB359E64CB54

Function 002191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd83c04ef3cb9eafaaa41f0472d3c29ed7f5ee312add56f43a86331fba757a94
Instruction ID: b1bd376c0d9046d0bcaad5e7f324b6e3fcde691f40c879180a4d5ff02be61bcc
Opcode Fuzzy Hash: bd83c04ef3cb9eafaaa41f0472d3c29ed7f5ee312add56f43a86331fba757a94
Instruction Fuzzy Hash: A202C4B1E20106EBDF04DF64D981AAEB7B5FF54300F118169E8169B290EB71AE74CF85

Function 00249EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6aaf60b2c2ee0941a796f997f6bf85d24fe5bfc883916f892fd270aa3f6dac
Instruction ID: 32019fd13e645a74f010c2436450a0fe97e35052662ae313c1975851fcee57f0
Opcode Fuzzy Hash: 1f6aaf60b2c2ee0941a796f997f6bf85d24fe5bfc883916f892fd270aa3f6dac
Instruction Fuzzy Hash: 8DB1E120D2AF514DD32396399835337B69CAFBB6D5F91D71BFC2674D22EB2286834180

Function 00231C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4c1778dfd5e0de28fdebff58a67669e063f39ade0788e3202b401bd599a12a6e
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: AE918BB35280A34ADB6D4A3E857407EFFE15A523A1B1A079ED4F2CB1C5FE14C974D620

Function 00231F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 0fafb7a1f7ac68efebdc3f79bd28ef1bf99f5a1e84577216a2186ad05cce9b7c
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 35919AB22281A34DDB6D463D853403EFFE15A923A1B1A079DD4F6CB1C5EE24C57CE620

Function 002319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8a573fda305b16e433452b8577e2d088c177a49760f3945882ad5b7f7c179e30
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A19167B22290E34EDB2D4A7A857403DFFE15A923A6B1A079ED4F2CA1C1FD14C574D620

Function 00237A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3aff83a684c57745615ff1127d87380247672936c9d5234bcc30e432da11b00
Instruction ID: addd47b445f16f2540c75106c4f74d686f9c8e16dbb5d8ce36edf004243bddc5
Opcode Fuzzy Hash: b3aff83a684c57745615ff1127d87380247672936c9d5234bcc30e432da11b00
Instruction Fuzzy Hash: E46159F123870B66DE349E288895BBEA3AADF41708F14091AF843DF281DA519E72C755

Function 00237CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24180d17b45cb3cf8b653d2c5d6b17869e136988f6952e4ea8567dce280473c
Instruction ID: 593773a6f026589c3e681a186ae6b114c92b5ac2c378828e89cdd315465a033d
Opcode Fuzzy Hash: c24180d17b45cb3cf8b653d2c5d6b17869e136988f6952e4ea8567dce280473c
Instruction Fuzzy Hash: F26168F163870F66DE389E288896BBE23989F42700F10095AF943DF281DB52DD72C655

Function 00231706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 7bc20f6363384791c3fe7021d0a7510caa14813600979fbe7c25b52ffa8a1e22
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 438188B36290A34DEB6D4A3A853453EFFE15A923A1B1E079DD4F2CB1C1EE14C574D620

Function 00292ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00292B30
DeleteObject.GDI32(00000000), ref: 00292B43
DestroyWindow.USER32 ref: 00292B52
GetDesktopWindow.USER32 ref: 00292B6D
GetWindowRect.USER32(00000000), ref: 00292B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00292CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00292CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292CF8
GetClientRect.USER32(00000000,?), ref: 00292D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00292D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D80
GlobalLock.KERNEL32(00000000), ref: 00292D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D98
GlobalUnlock.KERNEL32(00000000), ref: 00292DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292DA8
GlobalFree.KERNEL32(00000000), ref: 00292DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,002AFC38,00000000), ref: 00292DDB
GlobalFree.KERNEL32(00000000), ref: 00292DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00292E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00292E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029303F

Strings

DISPLAY, xrefs: 00292EA2
, xrefs: 00292FC5
static, xrefs: 00292D3A, 00292E91
AutoIt v3, xrefs: 00292CF2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 94aeda847545404bc020d4d7d801710af41ec4c9ea43d2ecc57d5b7591ae7634
Instruction ID: d6108907ebccb0e4b19cd132c356b75d8634b6279a0c186dbfd59285515915ee
Opcode Fuzzy Hash: 94aeda847545404bc020d4d7d801710af41ec4c9ea43d2ecc57d5b7591ae7634
Instruction Fuzzy Hash: 03028971A10205EFDB14DF64DC8DEAE7BB9EB49710F108158F915AB2A1DB70AD11CFA0

Function 002A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002A712F
GetSysColorBrush.USER32(0000000F), ref: 002A7160
GetSysColor.USER32(0000000F), ref: 002A716C
SetBkColor.GDI32(?,000000FF), ref: 002A7186
SelectObject.GDI32(?,?), ref: 002A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 002A71C0
GetSysColor.USER32(00000010), ref: 002A71C8
CreateSolidBrush.GDI32(00000000), ref: 002A71CF
FrameRect.USER32(?,?,00000000), ref: 002A71DE
DeleteObject.GDI32(00000000), ref: 002A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 002A7230
FillRect.USER32(?,?,?), ref: 002A7262
GetWindowLongW.USER32(?,000000F0), ref: 002A7284

Part of subcall function 002A73E8: GetSysColor.USER32(00000012), ref: 002A7421
Part of subcall function 002A73E8: SetTextColor.GDI32(?,?), ref: 002A7425
Part of subcall function 002A73E8: GetSysColorBrush.USER32(0000000F), ref: 002A743B
Part of subcall function 002A73E8: GetSysColor.USER32(0000000F), ref: 002A7446
Part of subcall function 002A73E8: GetSysColor.USER32(00000011), ref: 002A7463
Part of subcall function 002A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002A7471
Part of subcall function 002A73E8: SelectObject.GDI32(?,00000000), ref: 002A7482
Part of subcall function 002A73E8: SetBkColor.GDI32(?,00000000), ref: 002A748B
Part of subcall function 002A73E8: SelectObject.GDI32(?,?), ref: 002A7498
Part of subcall function 002A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002A74B7
Part of subcall function 002A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002A74CE
Part of subcall function 002A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002A74DB

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e05ad90855740e16082db02aafbbe941c9f297f6d86727a4e431ccc849f1f23b
Instruction ID: fdd217266808b271caa47bff8f9fbc6d5ee379c6e4f86846829d51ce20e8517f
Opcode Fuzzy Hash: e05ad90855740e16082db02aafbbe941c9f297f6d86727a4e431ccc849f1f23b
Instruction Fuzzy Hash: 24A1A372518301AFDB009F60EC4CA5BBBE9FF4A320F200A19F966A61E1DB71E954CF51

Function 00228D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00228E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00266AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00266AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00266F43

Part of subcall function 00228F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00228BE8,?,00000000,?,?,?,?,00228BBA,00000000,?), ref: 00228FC5

SendMessageW.USER32(?,00001053), ref: 00266F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00266F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00266FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00266FB7

Strings

0, xrefs: 00266DCF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 3308f2f02d27b7a89766bdc5bca95e57f4c1d2e0005646d7b35ecaf4084c5529
Instruction ID: 0c0aa88ebe893425b0f352fef5591e9110af49aa4e278df52fdd9cfd8194f6f8
Opcode Fuzzy Hash: 3308f2f02d27b7a89766bdc5bca95e57f4c1d2e0005646d7b35ecaf4084c5529
Instruction Fuzzy Hash: 9D129B30621252EFD729CF24E888BA9B7E5BB45300F154469F4859B662CB72ECB1CF91

Function 00292711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0029273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0029286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00292900
GetClientRect.USER32(00000000,?), ref: 0029290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00292955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00292964
GetStockObject.GDI32(00000011), ref: 00292974
SelectObject.GDI32(00000000,00000000), ref: 00292978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00292988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00292991
DeleteDC.GDI32(00000000), ref: 0029299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00292A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00292A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00292A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00292A77
GetStockObject.GDI32(00000011), ref: 00292A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00292A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00292A97

Strings

msctls_progress32, xrefs: 00292A13
DISPLAY, xrefs: 0029295A
static, xrefs: 0029294F, 00292A71
AutoIt v3, xrefs: 002928F8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1746e4c7bee64475d1df6441874c0e9b45118efccdf425d36da2c554fd58bdb9
Instruction ID: bac5c257a81756ba46d57fd5f47093f962abc43c1a62fb19206c4189af68ad81
Opcode Fuzzy Hash: 1746e4c7bee64475d1df6441874c0e9b45118efccdf425d36da2c554fd58bdb9
Instruction Fuzzy Hash: 68B16A71A50205BFEB14DFA8DC89FAEBBB9EB49710F104154F914EB290DB70AD50CBA0

Function 00284ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00284AED
GetDriveTypeW.KERNEL32(?,002ACB68,?,\\.\,002ACC08), ref: 00284BCA
SetErrorMode.KERNEL32(00000000,002ACB68,?,\\.\,002ACC08), ref: 00284D36

Strings

iSCSI, xrefs: 00284CC2
Removable, xrefs: 00284C10, 00284C15
SSA, xrefs: 00284CA6
Fibre, xrefs: 00284CAD
FileBackedVirtual, xrefs: 00284CEC
SAS, xrefs: 00284CC9
SATA, xrefs: 00284CD0
1394, xrefs: 00284C9F
RAID, xrefs: 00284CBB
SCSI, xrefs: 00284C8A
CDROM, xrefs: 00284BFB
PhysicalDrive, xrefs: 00284B76
Network, xrefs: 00284C02
Fixed, xrefs: 00284C09
ATAPI, xrefs: 00284C91
SSD, xrefs: 00284C4A
\\.\, xrefs: 00284B3F
Unknown, xrefs: 00284BED, 00284C83
ATA, xrefs: 00284C98
RAMDisk, xrefs: 00284BF4
Virtual, xrefs: 00284CE5
USB, xrefs: 00284CB4
MMC, xrefs: 00284CDE

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d72ea061841c17183ea8a1397b178a0eb083c36dd8fc147e8b9b356a6d1dae56
Instruction ID: 49e435113685efd30c1c0a7dc7ca860ffb7ed2a165ac8215e79f9134c2f56d35
Opcode Fuzzy Hash: d72ea061841c17183ea8a1397b178a0eb083c36dd8fc147e8b9b356a6d1dae56
Instruction Fuzzy Hash: FF61A1386361079BCB04FF24DA859ACB7B5AB15304B248117F806ABBD1DBB1EDB1DB41

Function 002A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002A7421
SetTextColor.GDI32(?,?), ref: 002A7425
GetSysColorBrush.USER32(0000000F), ref: 002A743B
GetSysColor.USER32(0000000F), ref: 002A7446
CreateSolidBrush.GDI32(?), ref: 002A744B
GetSysColor.USER32(00000011), ref: 002A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002A7471
SelectObject.GDI32(?,00000000), ref: 002A7482
SetBkColor.GDI32(?,00000000), ref: 002A748B
SelectObject.GDI32(?,?), ref: 002A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 002A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 002A7572
DrawFocusRect.USER32(?,?), ref: 002A757D
GetSysColor.USER32(00000011), ref: 002A758E
SetTextColor.GDI32(?,00000000), ref: 002A7596
DrawTextW.USER32(?,002A70F5,000000FF,?,00000000), ref: 002A75A8
SelectObject.GDI32(?,?), ref: 002A75BF
DeleteObject.GDI32(?), ref: 002A75CA
SelectObject.GDI32(?,?), ref: 002A75D0
DeleteObject.GDI32(?), ref: 002A75D5
SetTextColor.GDI32(?,?), ref: 002A75DB
SetBkColor.GDI32(?,?), ref: 002A75E5

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 17b664cc858eaaf3cacca60d72b79f331b719ea5497867193355e960a2dfd0d7
Instruction ID: 4547e5e30b8ccc175d67d895a2ef86e65e84d1ede62dcf469c232b3a286886ae
Opcode Fuzzy Hash: 17b664cc858eaaf3cacca60d72b79f331b719ea5497867193355e960a2dfd0d7
Instruction Fuzzy Hash: 83614272D04219AFDF019FA4EC49A9EBFB9EB0A320F214125F915B72A1DB749950CF90

Function 002A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002A1128
GetDesktopWindow.USER32 ref: 002A113D
GetWindowRect.USER32(00000000), ref: 002A1144
GetWindowLongW.USER32(?,000000F0), ref: 002A1199
DestroyWindow.USER32(?), ref: 002A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 002A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 002A1245
IsWindowVisible.USER32(00000000), ref: 002A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002A12D0
GetWindowRect.USER32(00000000,?), ref: 002A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 002A130E
GetMonitorInfoW.USER32(00000000,?), ref: 002A1328
CopyRect.USER32(?,?), ref: 002A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002A13AA

Strings

0, xrefs: 002A10D3
tooltips_class32, xrefs: 002A11E6
(, xrefs: 002A131B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d71d3bcf6a6d98c22667619322165dbccd4272a0ab38a4bd3ba76b57063c6a5c
Instruction ID: a5b3749c3048d22f293a331b5fde06eafa0273e7127b9c7ca269d3c62526d051
Opcode Fuzzy Hash: d71d3bcf6a6d98c22667619322165dbccd4272a0ab38a4bd3ba76b57063c6a5c
Instruction Fuzzy Hash: FCB1AF71618341AFDB04DF64C888BAABBE5FF85750F00891CF9999B261CB71E864CF91

Function 00228891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00228968
GetSystemMetrics.USER32(00000007), ref: 00228970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0022899B
GetSystemMetrics.USER32(00000008), ref: 002289A3
GetSystemMetrics.USER32(00000004), ref: 002289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00228A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00228A3C
GetClientRect.USER32(00000000,000000FF), ref: 00228A5A
GetStockObject.GDI32(00000011), ref: 00228A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00228A81

Part of subcall function 0022912D: GetCursorPos.USER32(?), ref: 00229141
Part of subcall function 0022912D: ScreenToClient.USER32(00000000,?), ref: 0022915E
Part of subcall function 0022912D: GetAsyncKeyState.USER32(00000001), ref: 00229183
Part of subcall function 0022912D: GetAsyncKeyState.USER32(00000002), ref: 0022919D

SetTimer.USER32(00000000,00000000,00000028,002290FC), ref: 00228AA8

Strings

AutoIt v3 GUI, xrefs: 00228A20

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cc827607d0186149adb94fb0107414243961cfac8e92323cad94c7f57876b4dd
Instruction ID: 7a7fcc0a8ed1031864a860ca4395e50d2558664b5b604c60393202687e13f7b3
Opcode Fuzzy Hash: cc827607d0186149adb94fb0107414243961cfac8e92323cad94c7f57876b4dd
Instruction Fuzzy Hash: 00B19431A1021AAFDF14DFA8ED49BAE7BB5FB49314F104129FA15A7290DB70E860CF51

Function 00270D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00271114
Part of subcall function 002710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271120
Part of subcall function 002710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 0027112F
Part of subcall function 002710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271136
Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00270DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00270E29
GetLengthSid.ADVAPI32(?), ref: 00270E40
GetAce.ADVAPI32(?,00000000,?), ref: 00270E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00270E96
GetLengthSid.ADVAPI32(?), ref: 00270EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00270EB5
HeapAlloc.KERNEL32(00000000), ref: 00270EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00270EDD
CopySid.ADVAPI32(00000000), ref: 00270EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00270F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00270F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00270F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270F6E
HeapFree.KERNEL32(00000000), ref: 00270F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270F7E
HeapFree.KERNEL32(00000000), ref: 00270F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270F8E
HeapFree.KERNEL32(00000000), ref: 00270F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00270FA1
HeapFree.KERNEL32(00000000), ref: 00270FA8

Part of subcall function 00271193: GetProcessHeap.KERNEL32(00000008,00270BB1,?,00000000,?,00270BB1,?), ref: 002711A1
Part of subcall function 00271193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00270BB1,?), ref: 002711A8
Part of subcall function 00271193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00270BB1,?), ref: 002711B7

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e61ee62df7f33dd50d98223172a4eb210eb6d96617847ba3ffc2b680a38765bd
Instruction ID: 1d795297315acf2962ef11c496b97356100dee1137cd7a5ff72595dca4a504c8
Opcode Fuzzy Hash: e61ee62df7f33dd50d98223172a4eb210eb6d96617847ba3ffc2b680a38765bd
Instruction Fuzzy Hash: 9C716E7191021AEBDF20DFA4EC88FAEBBB8BF05300F148125F919E6191DB719919CB61

Function 0029C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,002ACC08,00000000,?,00000000,?,?), ref: 0029C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0029C5A4
_wcslen.LIBCMT ref: 0029C5F4
_wcslen.LIBCMT ref: 0029C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0029C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0029C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0029C84D
RegCloseKey.ADVAPI32(?), ref: 0029C881
RegCloseKey.ADVAPI32(00000000), ref: 0029C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0029C960

Strings

REG_BINARY, xrefs: 0029C913
REG_EXPAND_SZ, xrefs: 0029C5CD
REG_QWORD, xrefs: 0029C8C3
REG_DWORD, xrefs: 0029C804
REG_SZ, xrefs: 0029C644
REG_MULTI_SZ, xrefs: 0029C6F5

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c68fd3715de819f1b8f096d258954bb9c0a77b297b2456447f8ed0d77be28025
Instruction ID: bc53d1bece745d437f9c3d87394c5ef348b64b13f724bc2a3bf3c68f2c06f937
Opcode Fuzzy Hash: c68fd3715de819f1b8f096d258954bb9c0a77b297b2456447f8ed0d77be28025
Instruction Fuzzy Hash: 5D126975624201AFDB14DF14C891A6AB7E5FF88714F24889DF84A9B3A2DB31EC51CF81

Function 002A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A09C6
_wcslen.LIBCMT ref: 002A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A0A54
_wcslen.LIBCMT ref: 002A0A8A
_wcslen.LIBCMT ref: 002A0B06
_wcslen.LIBCMT ref: 002A0B81

Part of subcall function 0022F9F2: _wcslen.LIBCMT ref: 0022F9FD

Part of subcall function 00272BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00272BFA

Strings

EXPAND, xrefs: 002A0BF8
EXISTS, xrefs: 002A0B7C, 002A0B97
COLLAPSE, xrefs: 002A0B01, 002A0B1C
ISCHECKED, xrefs: 002A0CE1
GETTOTALCOUNT, xrefs: 002A09F2, 002A0A17
SELECT, xrefs: 002A0D11
GETTEXT, xrefs: 002A0C97
GETITEMCOUNT, xrefs: 002A0C1E
CHECK, xrefs: 002A0A85, 002A0AA0
UNCHECK, xrefs: 002A0D3E
GETSELECTED, xrefs: 002A0C4E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 046a0039f77dad810612c624190e9aeed3daae4b4d85a2e6f8c9e4a5a7a65ca1
Instruction ID: bad0adc9d1ca42052266afc48aeb5a5765d4cd994a8cec6cf376a9944d7bae5a
Opcode Fuzzy Hash: 046a0039f77dad810612c624190e9aeed3daae4b4d85a2e6f8c9e4a5a7a65ca1
Instruction Fuzzy Hash: E9E1BE312287029FC714DF24C49096AB7E2FF99318F50895DF8969B362DB30ED65CB81

Function 0029C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029B6AE,?,?), ref: 0029C9B5
_wcslen.LIBCMT ref: 0029C9F1
_wcslen.LIBCMT ref: 0029CA68
_wcslen.LIBCMT ref: 0029CA9E
_wcslen.LIBCMT ref: 0029CAF9
_wcslen.LIBCMT ref: 0029CB2F
_wcslen.LIBCMT ref: 0029CB7F

Strings

HKEY_USERS, xrefs: 0029CBDF
HKCC, xrefs: 0029CBAC
HKEY_CURRENT_CONFIG, xrefs: 0029CB79, 0029CB7E
HKEY_LOCAL_MACHINE, xrefs: 0029CA62, 0029CA67
HKLM, xrefs: 0029CA98, 0029CA9D
HKEY_CURRENT_USER, xrefs: 0029CBBD
HKCU, xrefs: 0029CBCE
HKEY_CLASSES_ROOT, xrefs: 0029CAF3, 0029CAF8
HKCR, xrefs: 0029CB29, 0029CB2E
HKU, xrefs: 0029CBF0

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ca2f198b571b90a29993baf9eee17895be6787ed350c4cdc14d8b42efcbda7fa
Instruction ID: d79311edaeef25bf258846a4e62d8c34360a987ea3fe6922b8630ac58cbf9a8e
Opcode Fuzzy Hash: ca2f198b571b90a29993baf9eee17895be6787ed350c4cdc14d8b42efcbda7fa
Instruction Fuzzy Hash: A871F13263016B8BCF20DE78CD516BE33A5AB61764B310529F8569B284EA34CDB087A0

Function 002A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002A835A
_wcslen.LIBCMT ref: 002A836E
_wcslen.LIBCMT ref: 002A8391
_wcslen.LIBCMT ref: 002A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,002A361A,?), ref: 002A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002A8501
FreeLibrary.KERNEL32(?), ref: 002A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002A851D
DestroyIcon.USER32(?), ref: 002A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002A8555

Strings

.dll, xrefs: 002A83AB
.icl, xrefs: 002A8368
.exe, xrefs: 002A8388

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: ccc58cbbd4a7c0ee9c3a70181e651254ef74c5bbd1a978f56eeb0da2178355b3
Instruction ID: 08a0999c315db1da34758f70c8079a1b1e0c529c64eefaa7673a2a1a77a94d77
Opcode Fuzzy Hash: ccc58cbbd4a7c0ee9c3a70181e651254ef74c5bbd1a978f56eeb0da2178355b3
Instruction Fuzzy Hash: CB61F171920206BFEB14DF64DC45BBE77A8BB09720F20454AF815D60D0EF74A9A0CBA0

Function 00217778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0021785F, 002178B1
#cs, xrefs: 00217873, 002178C5
#include-once, xrefs: 0021782F
#pragma compile, xrefs: 002177D3
#notrayicon, xrefs: 002177E7
', xrefs: 00255169
#ce, xrefs: 002178ED
#include, xrefs: 00217847
#requireadmin, xrefs: 002177FF
#comments-end, xrefs: 002178D9
Unterminated group of comments, xrefs: 0025528C
", xrefs: 00255153
Cannot parse #include, xrefs: 00255279
#OnAutoItStartRegister, xrefs: 00217817
Bad directive syntax error, xrefs: 0025519A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: b246f4745285fe5dde02a5378e964a31bd34fa365858d5d1bde9d25c7dfd257f
Instruction ID: 8bb385504df6c2d408d60d681070677c86e20679b17567812f58cf1bada41b7d
Opcode Fuzzy Hash: b246f4745285fe5dde02a5378e964a31bd34fa365858d5d1bde9d25c7dfd257f
Instruction Fuzzy Hash: 1A811AB1634616BBDB20AF60DC52FEE77B8AF65300F044025FC05AA192EB70D9B5CB95

Function 00283E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00283EF8
_wcslen.LIBCMT ref: 00283F03
_wcslen.LIBCMT ref: 00283F5A
_wcslen.LIBCMT ref: 00283F98
GetDriveTypeW.KERNEL32(?), ref: 00283FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00284059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00284087

Strings

wait, xrefs: 00284044
close cd wait, xrefs: 00284072
type cdaudio alias cd wait, xrefs: 00284001
open, xrefs: 00283F54, 00283F59
open , xrefs: 00283FE5
set cd door , xrefs: 00284028
close, xrefs: 00283EFE, 00283F18
closed, xrefs: 00283F08, 00283F2D, 00283F46, 00283F7E, 00283F97

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: dbd21949fea58b3aae76e753861763b024be4e8d404a607f0150ba7ddc027b71
Instruction ID: 674ff6fb7e979d772b4ce0c9407f827cac168450e6c7647bb271c2b33bb5e03a
Opcode Fuzzy Hash: dbd21949fea58b3aae76e753861763b024be4e8d404a607f0150ba7ddc027b71
Instruction Fuzzy Hash: B871D3356242029FC310EF24C8849AFB7F4EFA4758F10492EF99597291EB31EDA5CB91

Function 00275A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00275A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00275A40
SetWindowTextW.USER32(?,?), ref: 00275A57
GetDlgItem.USER32(?,000003EA), ref: 00275A6C
SetWindowTextW.USER32(00000000,?), ref: 00275A72
GetDlgItem.USER32(?,000003E9), ref: 00275A82
SetWindowTextW.USER32(00000000,?), ref: 00275A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00275AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00275AC3
GetWindowRect.USER32(?,?), ref: 00275ACC
_wcslen.LIBCMT ref: 00275B33
SetWindowTextW.USER32(?,?), ref: 00275B6F
GetDesktopWindow.USER32 ref: 00275B75
GetWindowRect.USER32(00000000), ref: 00275B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00275BD3
GetClientRect.USER32(?,?), ref: 00275BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00275C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00275C2F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 15b4bea4e3e5913f85eea933395a0a7da4e558606bbebfb43e490d2f8020c540
Instruction ID: d41f7e699adcc81910b43ff26984e1b520080339488911793bf92755801f1025
Opcode Fuzzy Hash: 15b4bea4e3e5913f85eea933395a0a7da4e558606bbebfb43e490d2f8020c540
Instruction Fuzzy Hash: 2B718F31910B169FDB20DFA8CE89A6EFBF5FF48704F104918E146A25A4DBB4E954CB50

Function 0028FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0028FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0028FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0028FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0028FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0028FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0028FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0028FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0028FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0028FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0028FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0028FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0028FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0028FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0028FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0028FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0028FECC
GetCursorInfo.USER32(?), ref: 0028FEDC
GetLastError.KERNEL32 ref: 0028FF1E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 1deec5d31c0ddbc37ece251380160670e568ed3cbaf04a84c8d2ef3744bfc469
Instruction ID: ec00c287c9fa33591220f9edbe219b717c27a684da4a481f10b429a224344ffb
Opcode Fuzzy Hash: 1deec5d31c0ddbc37ece251380160670e568ed3cbaf04a84c8d2ef3744bfc469
Instruction Fuzzy Hash: CE4161B0D4531A6ADB109FBA8C8985EBFE8FF04754B50452AE119E76C1DB78A9018F90

Function 002730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027318D
_wcslen.LIBCMT ref: 002731F8

Strings

CLASS, xrefs: 00273188, 002731A5
NAME, xrefs: 00273335, 00273346
INSTANCE, xrefs: 00273453
REGEXPCLASS, xrefs: 00273255, 00273266
TEXT, xrefs: 0027347C
[-, xrefs: 0027339A
CLASSNN, xrefs: 002731F3, 00273204

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[-
API String ID: 176396367-2782989067
Opcode ID: a8d03c097fa8f9dcacd1aaacb39fe9e46ef6c5d46d34acde549e0aba1448760d
Instruction ID: 0057a52ae77a3b08bd53fb1b0b938f817a95becdb1dcd3611180b804383d141b
Opcode Fuzzy Hash: a8d03c097fa8f9dcacd1aaacb39fe9e46ef6c5d46d34acde549e0aba1448760d
Instruction Fuzzy Hash: 7FE11832A20527ABCB18DF74C4517EEBBB4BF14710F54C11AE45AE7240DB70AEA5ABD0

Function 002300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002300C6

Part of subcall function 002300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(002E070C,00000FA0,D705ACEC,?,?,?,?,002523B3,000000FF), ref: 0023011C
Part of subcall function 002300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002523B3,000000FF), ref: 00230127
Part of subcall function 002300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002523B3,000000FF), ref: 00230138
Part of subcall function 002300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0023014E
Part of subcall function 002300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0023015C
Part of subcall function 002300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0023016A
Part of subcall function 002300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00230195
Part of subcall function 002300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002301A0

___scrt_fastfail.LIBCMT ref: 002300E7

Part of subcall function 002300A3: __onexit.LIBCMT ref: 002300A9

Strings

WakeAllConditionVariable, xrefs: 00230162
kernel32.dll, xrefs: 00230133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00230122
SleepConditionVariableCS, xrefs: 00230154
InitializeConditionVariable, xrefs: 00230148

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: fa0e87ac4a6c13fe6964c6287df77e391b5cefd33a6fadea6da58a9dd9963dce
Instruction ID: 650d5c7266ae241d57b9e084f0d562d3f387c9220813e87e9eba07d307de1cb3
Opcode Fuzzy Hash: fa0e87ac4a6c13fe6964c6287df77e391b5cefd33a6fadea6da58a9dd9963dce
Instruction Fuzzy Hash: 4F2129B2A60711AFD7216FE4BD9DB2A73A4DB07F51F100136F809A6291DFB49C108AB0

Function 002844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,002ACC08), ref: 00284527
_wcslen.LIBCMT ref: 0028453B
_wcslen.LIBCMT ref: 00284599
_wcslen.LIBCMT ref: 002845F4
_wcslen.LIBCMT ref: 0028463F
_wcslen.LIBCMT ref: 002846A7

Part of subcall function 0022F9F2: _wcslen.LIBCMT ref: 0022F9FD

GetDriveTypeW.KERNEL32(?,002D6BF0,00000061), ref: 00284743

Strings

ramdisk, xrefs: 002846F1
removable, xrefs: 002845EA, 002845EF
fixed, xrefs: 00284635, 0028463A
cdrom, xrefs: 0028458F, 00284594
all, xrefs: 00284531, 00284536
unknown, xrefs: 00284708
network, xrefs: 0028469D, 002846A2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 38a0523525d179e4d43406b31e58583d5652806f25065c2a5d50d90eb8e5ca29
Instruction ID: 397e21eace12467cf7cec3e3302f5e48e11789c1abc417bb34b584191b253efa
Opcode Fuzzy Hash: 38a0523525d179e4d43406b31e58583d5652806f25065c2a5d50d90eb8e5ca29
Instruction Fuzzy Hash: D7B1E2396293139BC710FF28C890A6EB7E5AFA5724F50491DF496C72D1E730E8A4CB52

Function 002A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

DragQueryPoint.SHELL32(?,?), ref: 002A9147

Part of subcall function 002A7674: ClientToScreen.USER32(?,?), ref: 002A769A
Part of subcall function 002A7674: GetWindowRect.USER32(?,?), ref: 002A7710
Part of subcall function 002A7674: PtInRect.USER32(?,?,002A8B89), ref: 002A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 002A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 002A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 002A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 002A9277
DragFinish.SHELL32(?), ref: 002A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002A9371

Strings

@GUI_DRAGFILE, xrefs: 002A9320
p#., xrefs: 002A92BB
@GUI_DRAGID, xrefs: 002A92E9
@GUI_DROPID, xrefs: 002A929E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#.
API String ID: 221274066-2896109970
Opcode ID: 5afe16ada1c67c4d2da95db5202d950a541a0656af9a0159232ba9451bd466f4
Instruction ID: 43e7a5fdc3afe843aa3625655be0f2be8a1f476594546150be3b29169ed35d74
Opcode Fuzzy Hash: 5afe16ada1c67c4d2da95db5202d950a541a0656af9a0159232ba9451bd466f4
Instruction Fuzzy Hash: 2561AD71118301AFC704DF50DC89DAFBBE8EF9A750F10092EF595921A1DB309AA9CF92

Function 0021326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(002E1990), ref: 00252F8D
GetMenuItemCount.USER32(002E1990), ref: 0025303D
GetCursorPos.USER32(?), ref: 00253081
SetForegroundWindow.USER32(00000000), ref: 0025308A
TrackPopupMenuEx.USER32(002E1990,00000000,?,00000000,00000000,00000000), ref: 0025309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002530A9

Strings

0, xrefs: 0021327D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a2c00cafa8abb7be370887ed6d447ade745293757a72d223793430fa0d5b5484
Instruction ID: 747551c488b771fbf0bed2cf8c2990110014b0351d9ebe2ef30ef0927cf037a1
Opcode Fuzzy Hash: a2c00cafa8abb7be370887ed6d447ade745293757a72d223793430fa0d5b5484
Instruction Fuzzy Hash: 5171F670664206BFEB21DF24DC49F9ABFA5FF02364F204216F915661D0C7B1AD68CB54

Function 002A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 002A6DEB

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A6E94
DestroyWindow.USER32(?), ref: 002A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00210000,00000000), ref: 002A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A6EFD
GetDesktopWindow.USER32 ref: 002A6F16
GetWindowRect.USER32(00000000), ref: 002A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002A6F4D

Part of subcall function 00229944: GetWindowLongW.USER32(?,000000EB), ref: 00229952

Strings

0, xrefs: 002A6D98
tooltips_class32, xrefs: 002A6E58, 002A6EDD

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 69f154183a6bbb63fd1ac22ae6ab45ba0f76b49be54f78814564d4b982303431
Instruction ID: 940f4628625e9d6c068c69b799d4ca50cfef78d90aa17f476df5d2c427c8cbfa
Opcode Fuzzy Hash: 69f154183a6bbb63fd1ac22ae6ab45ba0f76b49be54f78814564d4b982303431
Instruction Fuzzy Hash: 5E717A70154245AFDB25CF18EC48FAABBE9FB8A704F18041DF999C72A1CB70A965CB11

Function 0028C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0028C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0028C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0028C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0028C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0028C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0028C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0028C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0028C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0028C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0028C5F0
InternetCloseHandle.WININET(00000000), ref: 0028C5FB

Strings

, xrefs: 0028C575

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 6b930c949d92825ea1014823eb115156774a3fe86c6d1220cc4305bfff42fd79
Instruction ID: 1da63c4212332422591b74ff5d8e0d8ed97db875fa0324c9c5e34415ac61f9c5
Opcode Fuzzy Hash: 6b930c949d92825ea1014823eb115156774a3fe86c6d1220cc4305bfff42fd79
Instruction Fuzzy Hash: 4B518DB4111205BFDB21AF60DD48AAB7BFCFF09354F20441AF945A6690DB34E9549B70

Function 002A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 002A8592
GetFileSize.KERNEL32(00000000,00000000), ref: 002A85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 002A85AD
CloseHandle.KERNEL32(00000000), ref: 002A85BA
GlobalLock.KERNEL32(00000000), ref: 002A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002A85D7
GlobalUnlock.KERNEL32(00000000), ref: 002A85E0
CloseHandle.KERNEL32(00000000), ref: 002A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 002A85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,002AFC38,?), ref: 002A8611
GlobalFree.KERNEL32(00000000), ref: 002A8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 002A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 002A8671
DeleteObject.GDI32(00000000), ref: 002A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002A86AF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7b3ad6e432c2a4a18c19344ed5e24507156edafecc9868ffd2d8a05df8015821
Instruction ID: 26bcb3858562aaa66f9513b03acbf8916c2b3ebda65f9301a71187a12694e2ba
Opcode Fuzzy Hash: 7b3ad6e432c2a4a18c19344ed5e24507156edafecc9868ffd2d8a05df8015821
Instruction Fuzzy Hash: 0F41E675600209AFDB119FA5DC4CEAA7BBCEB8AB11F244059F909E7260DF709911CB60

Function 002814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00281502
VariantCopy.OLEAUT32(?,?), ref: 0028150B
VariantClear.OLEAUT32(?), ref: 00281517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00281657
VariantInit.OLEAUT32(?), ref: 00281708
SysFreeString.OLEAUT32(?), ref: 0028178C
VariantClear.OLEAUT32(?), ref: 002817D8
VariantClear.OLEAUT32(?), ref: 002817E7
VariantInit.OLEAUT32(00000000), ref: 00281823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00281625
Default, xrefs: 002816AF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 1c93caa7951fb441d06fa16f2941fbd21f9b16e27bc4cc81d407eeae0f7ecebc
Instruction ID: a16ab7a19080fab41a03e38465f35426b62feb623462d7b6335a588a275393f9
Opcode Fuzzy Hash: 1c93caa7951fb441d06fa16f2941fbd21f9b16e27bc4cc81d407eeae0f7ecebc
Instruction Fuzzy Hash: CBD12336A21111EBDB10AF64E884B7DB7B9BF46700F64806AF446AB1C0DB74EC72DB51

Function 0029B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 0029C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029B6AE,?,?), ref: 0029C9B5
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029C9F1
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA68
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0029B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0029B80A
RegCloseKey.ADVAPI32(?), ref: 0029B87E
RegCloseKey.ADVAPI32(?), ref: 0029B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0029B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0029B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0029B922
FreeLibrary.KERNEL32(00000000), ref: 0029B983
RegCloseKey.ADVAPI32(00000000), ref: 0029B994

Strings

advapi32.dll, xrefs: 0029B8ED
RegDeleteKeyExW, xrefs: 0029B8FE

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 79a26237770e3b9a511611c69ad78d5ba99e02434bc5bafd9e005e2447d196c5
Instruction ID: 81d5ce16dd4192800b818cb28e4171a7e8df9904c530d323a4731867a97efea1
Opcode Fuzzy Hash: 79a26237770e3b9a511611c69ad78d5ba99e02434bc5bafd9e005e2447d196c5
Instruction Fuzzy Hash: 0DC1BF34224202AFDB11DF14D594F6ABBE5BF84308F14859CF59A4B2A2CB71EC95CF91

Function 0029255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002925E8
CreateCompatibleDC.GDI32(?), ref: 002925F4
SelectObject.GDI32(00000000,?), ref: 00292601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0029266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002926D0
SelectObject.GDI32(?,?), ref: 002926D8
DeleteObject.GDI32(?), ref: 002926E1
DeleteDC.GDI32(?), ref: 002926E8
ReleaseDC.USER32(00000000,?), ref: 002926F3

Strings

(, xrefs: 0029268D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 49f4d9ccc868b27b6bf3ca982b2621a501c5a7f34c434bdc8ac11d4e72c9d6b0
Instruction ID: 449b65879a59eab2da307b64067864e3f6a40ba1aa2e941b402a44e22032466c
Opcode Fuzzy Hash: 49f4d9ccc868b27b6bf3ca982b2621a501c5a7f34c434bdc8ac11d4e72c9d6b0
Instruction Fuzzy Hash: B961D475E10219EFCF05CFA4D984AAEBBF9FF48310F208529E959A7250D770A951CF90

Function 0024DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0024DAA1

Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D659
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D66B
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D67D
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D68F
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6A1
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6B3
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6C5
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6D7
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6E9
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6FB
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D70D
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D71F
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D731

_free.LIBCMT ref: 0024DA96

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 0024DAB8
_free.LIBCMT ref: 0024DACD
_free.LIBCMT ref: 0024DAD8
_free.LIBCMT ref: 0024DAFA
_free.LIBCMT ref: 0024DB0D
_free.LIBCMT ref: 0024DB1B
_free.LIBCMT ref: 0024DB26
_free.LIBCMT ref: 0024DB5E
_free.LIBCMT ref: 0024DB65
_free.LIBCMT ref: 0024DB82
_free.LIBCMT ref: 0024DB9A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d9de1ff8267fd3b8bea80b28fcd043b52bbb338540a3bcfd1e7b978908b51dec
Instruction ID: 6d68784ab88d4b7a246badc581bfab54a496cca115bcdfa7ecd42df7c51c78aa
Opcode Fuzzy Hash: d9de1ff8267fd3b8bea80b28fcd043b52bbb338540a3bcfd1e7b978908b51dec
Instruction Fuzzy Hash: D7315A31664206DFEB2AAE3AE845B5AB7E9FF00310F65541AF448D7291DE30AC64CB20

Function 0027365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0027369C
_wcslen.LIBCMT ref: 002736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00273797
GetClassNameW.USER32(?,?,00000400), ref: 0027380C
GetDlgCtrlID.USER32(?), ref: 0027385D
GetWindowRect.USER32(?,?), ref: 00273882
GetParent.USER32(?), ref: 002738A0
ScreenToClient.USER32(00000000), ref: 002738A7
GetClassNameW.USER32(?,?,00000100), ref: 00273921
GetWindowTextW.USER32(?,?,00000400), ref: 0027395D

Strings

%s%u, xrefs: 00273734

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 9c1ddf7b4fd22764f561b68804577d8e642c9925c636fc95728016f65e2fee74
Instruction ID: dcf691f487f3b65d653ebb0e39a3da2cdcf986de4ecc96a978d3ad1e753eca92
Opcode Fuzzy Hash: 9c1ddf7b4fd22764f561b68804577d8e642c9925c636fc95728016f65e2fee74
Instruction Fuzzy Hash: E591BC71224607EFD719DF24C885BAAF7A8FF44310F108629FA9DC2190DB30EA65DB91

Function 00274954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00274994
GetWindowTextW.USER32(?,?,00000400), ref: 002749DA
_wcslen.LIBCMT ref: 002749EB
CharUpperBuffW.USER32(?,00000000), ref: 002749F7
_wcsstr.LIBVCRUNTIME ref: 00274A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00274A64
GetWindowTextW.USER32(?,?,00000400), ref: 00274A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00274AE6
GetClassNameW.USER32(?,?,00000400), ref: 00274B20
GetWindowRect.USER32(?,?), ref: 00274B8B

Strings

ThumbnailClass, xrefs: 00274A6F, 00274AF1

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a0f271917c07a1e5c8e93f69cb946fc1d6b47d42bac683d4c86e31cf3b4c2413
Instruction ID: 11e0d711786fda7d9663648fd65e6b31e6a5b9da6773350422ef88b39255ddd6
Opcode Fuzzy Hash: a0f271917c07a1e5c8e93f69cb946fc1d6b47d42bac683d4c86e31cf3b4c2413
Instruction Fuzzy Hash: 2691D1714242069FDB05EF14C885FAAB7E8FF84714F04C46AFD899A096DB30ED65CBA1

Function 0027BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(002E1990,000000FF,00000000,00000030), ref: 0027BFAC
SetMenuItemInfoW.USER32(002E1990,00000004,00000000,00000030), ref: 0027BFE1
Sleep.KERNEL32(000001F4), ref: 0027BFF3
GetMenuItemCount.USER32(?), ref: 0027C039
GetMenuItemID.USER32(?,00000000), ref: 0027C056
GetMenuItemID.USER32(?,-00000001), ref: 0027C082
GetMenuItemID.USER32(?,?), ref: 0027C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0027C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0027C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0027C145

Strings

0, xrefs: 0027BF3D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 905926bfe55e490e84736ea6b6ce6169f15e9733ef126f7b51dbab27fc50c31b
Instruction ID: ee0219bf8734897d490fc1a07d3c7a3019c1278514e55449d64ce74df6e46a2a
Opcode Fuzzy Hash: 905926bfe55e490e84736ea6b6ce6169f15e9733ef126f7b51dbab27fc50c31b
Instruction Fuzzy Hash: BB6195B0920256AFDF11CF74DC88AEE7BB8FB05344F608069F819A3251D775AD25CBA1

Function 0029CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0029CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0029CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0029CD48

Part of subcall function 0029CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0029CCAA
Part of subcall function 0029CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0029CCBD
Part of subcall function 0029CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0029CCCF
Part of subcall function 0029CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0029CD05
Part of subcall function 0029CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0029CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0029CCF3

Strings

advapi32.dll, xrefs: 0029CCB8
RegDeleteKeyExW, xrefs: 0029CCC9

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 4fd555ce7e9eafbf2c7a93478ab2ec87e7411b5c2ba5163fb8c9dfe4fab4f84c
Instruction ID: 3c0574f1cf9cded1bfff12894f067eff21a9d7df2a5251338d29bd26e93ae871
Opcode Fuzzy Hash: 4fd555ce7e9eafbf2c7a93478ab2ec87e7411b5c2ba5163fb8c9dfe4fab4f84c
Instruction Fuzzy Hash: 32316E71A11129BBDB208F54DC8CEFFBB7CEF46750F200165E909E2240DA749E45AAB0

Function 00283D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00283D40
_wcslen.LIBCMT ref: 00283D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00283D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00283DBE
RemoveDirectoryW.KERNEL32(?), ref: 00283DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00283E55
CloseHandle.KERNEL32(00000000), ref: 00283E60
CloseHandle.KERNEL32(00000000), ref: 00283E6B

Strings

:, xrefs: 00283D82
\??\%s, xrefs: 00283D5B
\, xrefs: 00283D77

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 829ea7bbab442e1fcae032740f7dadbbfa448fa1d420e1c77ccccdaa594ccb92
Instruction ID: 04a38e01496d7392032d85a31c38b62b6dd69f8f11bcd4ccac121b5658967313
Opcode Fuzzy Hash: 829ea7bbab442e1fcae032740f7dadbbfa448fa1d420e1c77ccccdaa594ccb92
Instruction Fuzzy Hash: A331A375A1020AABDB21EFA0DC49FEB37BCEF89B00F1040B5F905D6191EB7497548B24

Function 0027E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0027E6B4

Part of subcall function 0022E551: timeGetTime.WINMM(?,?,0027E6D4), ref: 0022E555

Sleep.KERNEL32(0000000A), ref: 0027E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0027E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0027E727
SetActiveWindow.USER32 ref: 0027E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0027E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0027E773
Sleep.KERNEL32(000000FA), ref: 0027E77E
IsWindow.USER32 ref: 0027E78A
EndDialog.USER32(00000000), ref: 0027E79B

Strings

BUTTON, xrefs: 0027E719

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 86540c119219bb212740a0133a43f280bac35be7b5a1361cead5caac465b5e20
Instruction ID: c0c52ca9ee503e2595f80a1d37c42a06ae513f437e6904e12cb03eacc4618e40
Opcode Fuzzy Hash: 86540c119219bb212740a0133a43f280bac35be7b5a1361cead5caac465b5e20
Instruction Fuzzy Hash: 7021D1B0660245EFEF009F24FCCDA257B6DF75A748B218465F90E861A1DFB1AC248A34

Function 0027E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0027EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0027EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0027EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0027EAA7

Strings

open , xrefs: 0027EA0C
play PlayMe wait, xrefs: 0027EA91
play PlayMe, xrefs: 0027EAA2
alias PlayMe, xrefs: 0027EA36
close PlayMe, xrefs: 0027EA6E, 0027EA9B
status PlayMe mode, xrefs: 0027EA58

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 9f1b5a7f1f03d02dd4c1535d4263f585cc00eff70e780e532a6206c5da007f28
Instruction ID: d6e16fbec0d9599083504087e5772762916dfb6f6746c9982dc9d538bc17d2ac
Opcode Fuzzy Hash: 9f1b5a7f1f03d02dd4c1535d4263f585cc00eff70e780e532a6206c5da007f28
Instruction Fuzzy Hash: D311773167025979DB20E7A5DC5EDFF6BBCEBD6B00F000466B415A21D1DE701DA5C9B0

Function 00279F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0027A012
SetKeyboardState.USER32(?), ref: 0027A07D
GetAsyncKeyState.USER32(000000A0), ref: 0027A09D
GetKeyState.USER32(000000A0), ref: 0027A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0027A0E3
GetKeyState.USER32(000000A1), ref: 0027A0F4
GetAsyncKeyState.USER32(00000011), ref: 0027A120
GetKeyState.USER32(00000011), ref: 0027A12E
GetAsyncKeyState.USER32(00000012), ref: 0027A157
GetKeyState.USER32(00000012), ref: 0027A165
GetAsyncKeyState.USER32(0000005B), ref: 0027A18E
GetKeyState.USER32(0000005B), ref: 0027A19C

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6153d1bd41c8d38cae5d53ea942ef95fb0cfc6e55bb777bd3fe5a886a3b6f22f
Instruction ID: 3f9c17fb7fe7e6901344ed4525fba612e10718014e03eaf6ffaafbee160188c9
Opcode Fuzzy Hash: 6153d1bd41c8d38cae5d53ea942ef95fb0cfc6e55bb777bd3fe5a886a3b6f22f
Instruction Fuzzy Hash: F9512A209143852AFB35DF6088117EEBFB49F52350F48C58AD4CE575C2DA749A9CCB63

Function 00275CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00275CE2
GetWindowRect.USER32(00000000,?), ref: 00275CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00275D59
GetDlgItem.USER32(?,00000002), ref: 00275D69
GetWindowRect.USER32(00000000,?), ref: 00275D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00275DCF
GetDlgItem.USER32(?,000003E9), ref: 00275DDD
GetWindowRect.USER32(00000000,?), ref: 00275DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00275E31
GetDlgItem.USER32(?,000003EA), ref: 00275E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00275E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00275E67

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b999431e9bcacbfe82ec55588fb2869240ea8d9994ab0a0a5a0321ae8af11b37
Instruction ID: 280d71cca1d22248d948bf776484b1c680a8b314b2c0ed31b373d68aabea8091
Opcode Fuzzy Hash: b999431e9bcacbfe82ec55588fb2869240ea8d9994ab0a0a5a0321ae8af11b37
Instruction Fuzzy Hash: 19512071B10615AFDF18CF68DD89AAEBBB9FB48710F208129F519E7290DB709E10CB50

Function 00228BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00228F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00228BE8,?,00000000,?,?,?,?,00228BBA,00000000,?), ref: 00228FC5

DestroyWindow.USER32(?), ref: 00228C81
KillTimer.USER32(00000000,?,?,?,?,00228BBA,00000000,?), ref: 00228D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00266973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00228BBA,00000000,?), ref: 002669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00228BBA,00000000,?), ref: 002669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00228BBA,00000000), ref: 002669D4
DeleteObject.GDI32(00000000), ref: 002669E6

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fe01b9f0cadbeed4ce92558e606e1c23a4133798bcf6c5dcb7a376a3875b7e95
Instruction ID: 90eda7af4b3af96fe22a91ad7a20867d7a2bddae8b0170e20e695a7c9281ff81
Opcode Fuzzy Hash: fe01b9f0cadbeed4ce92558e606e1c23a4133798bcf6c5dcb7a376a3875b7e95
Instruction Fuzzy Hash: 1B617F31522661EFDB299F54FA4CB29B7F1FB41312F144529E0429A560CB75EDB0CFA0

Function 00229838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00229944: GetWindowLongW.USER32(?,000000EB), ref: 00229952

GetSysColor.USER32(0000000F), ref: 00229862

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a23268133f27a1e2e0aac2ab4c1245cea4d073043dea143514aaac04e57d9909
Instruction ID: 1a7961e444507467cbd76f4cc6b4558949f14fdeba1eb1152a4e7f53fb727a5e
Opcode Fuzzy Hash: a23268133f27a1e2e0aac2ab4c1245cea4d073043dea143514aaac04e57d9909
Instruction Fuzzy Hash: 0E41F531510650AFDB205F78BC88BB93BA5EB17330F284655F9A6872E1CB319CE2DB11

Function 00248D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.#, xrefs: 0024903A, 00248FD0, 00248FF2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID: .#
API String ID: 0-197210044
Opcode ID: 66f4b87eeaefcf4b8a41b5e0c8b4d2d90431ab970f7470a4625d8f3e5990e5f1
Instruction ID: 84d275f23f04297cff4e112efcc1bb86661948abcfe6574703031cb7e518a98c
Opcode Fuzzy Hash: 66f4b87eeaefcf4b8a41b5e0c8b4d2d90431ab970f7470a4625d8f3e5990e5f1
Instruction Fuzzy Hash: A3C10874D24249DFDF19DFA8D885BAEBBB0AF09310F144195F814AB392CB7089A1CF61

Function 002796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0025F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00279717
LoadStringW.USER32(00000000,?,0025F7F8,00000001), ref: 00279720

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0025F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00279742
LoadStringW.USER32(00000000,?,0025F7F8,00000001), ref: 00279745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00279866

Strings

Line %d (File "%s"):, xrefs: 0027978F
%s (%d) : ==> %s: %s %s, xrefs: 0027984A
^ ERROR, xrefs: 002797FB
Error: , xrefs: 0027981D
Line %d:, xrefs: 002797A0

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: f9cbabb092f1c7ee49cd23ba8b68f36ba8f0975222fa8eeebee9e275d44a95ed
Instruction ID: 57985ab4af3e3b21ffe2f0b915dc736f6de9357e06415407fa6934a1bd768651
Opcode Fuzzy Hash: f9cbabb092f1c7ee49cd23ba8b68f36ba8f0975222fa8eeebee9e275d44a95ed
Instruction Fuzzy Hash: 4C414172810219ABDB14EBE0DD56DEEB3B9AF25340F104065F60572092EB756FE8CFA1

Function 002706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00270804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0027082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00270837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0027083C

Strings

SOFTWARE\Classes\, xrefs: 0027070E
\CLSID, xrefs: 00270724
\IPC$, xrefs: 00270784

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6e5ed620a0281cbc3f83e64e8de277c39e75c18433626e7f70a89e2ee4ab9a94
Instruction ID: a9fc7106480c6c2ebc5a79808b1163c4ad569c989b49c44e45f7b1ff1245cb73
Opcode Fuzzy Hash: 6e5ed620a0281cbc3f83e64e8de277c39e75c18433626e7f70a89e2ee4ab9a94
Instruction Fuzzy Hash: 18411A71C20229EBDF15EF94DC958EDB7B8BF14350B144166E905A3160EB705E98CF90

Function 002A3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002A403B
CreateCompatibleDC.GDI32(00000000), ref: 002A4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002A4055
SelectObject.GDI32(00000000,00000000), ref: 002A405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 002A4068
DeleteDC.GDI32(00000000), ref: 002A4072
GetWindowLongW.USER32(?,000000EC), ref: 002A407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 002A4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 002A409E

Strings

static, xrefs: 002A3FD3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 72edabe4f82a426a644f8f180107793a13099cb57f1fd9c1a97d6581f12f03ef
Instruction ID: 8edfa6a886cc50ed286ddc0ab19a83b5115bf2a38c5dfce4660c089a30a88898
Opcode Fuzzy Hash: 72edabe4f82a426a644f8f180107793a13099cb57f1fd9c1a97d6581f12f03ef
Instruction Fuzzy Hash: 08316F32511215AFDF219FA4DC09FDA3BA8FF4E724F110211FA19E61A0CB75D860DB90

Function 00293C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00293C5C
CoInitialize.OLE32(00000000), ref: 00293C8A
CoUninitialize.OLE32 ref: 00293C94
_wcslen.LIBCMT ref: 00293D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00293DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00293ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00293F0E
CoGetObject.OLE32(?,00000000,002AFB98,?), ref: 00293F2D
SetErrorMode.KERNEL32(00000000), ref: 00293F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00293FC4
VariantClear.OLEAUT32(?), ref: 00293FD8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 8f853f149f39c30e6794b663718e6451ca66eb83d108b2b1eb43731a2cd66e3c
Instruction ID: 4c016e61816ebbb5dba9fb098bdc323b3094cc531b0fbef9101112f540b700bb
Opcode Fuzzy Hash: 8f853f149f39c30e6794b663718e6451ca66eb83d108b2b1eb43731a2cd66e3c
Instruction Fuzzy Hash: FEC13671628205AFDB00DF68C88496BB7E9FF89744F10491DF98A9B250DB30EE55CB62

Function 00287A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00287AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00287B8F
SHGetDesktopFolder.SHELL32(?), ref: 00287BA3
CoCreateInstance.OLE32(002AFD08,00000000,00000001,002D6E6C,?), ref: 00287BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00287C74
CoTaskMemFree.OLE32(?,?), ref: 00287CCC
SHBrowseForFolderW.SHELL32(?), ref: 00287D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00287D7A
CoTaskMemFree.OLE32(00000000), ref: 00287D81
CoTaskMemFree.OLE32(00000000), ref: 00287DD6
CoUninitialize.OLE32 ref: 00287DDC

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 2ccef34db99b6d4b89e260051deb9afa4d7cd1098e14a6ddab72635c03497d38
Instruction ID: 5e9ddbf58a94dba02d6af5d08f96de95522a3048cf06fb592c2fe391f76a77d8
Opcode Fuzzy Hash: 2ccef34db99b6d4b89e260051deb9afa4d7cd1098e14a6ddab72635c03497d38
Instruction Fuzzy Hash: 7DC12C75A15105AFDB14DFA4C888DAEBBF9FF48304B248499E8199B361DB30ED91CF90

Function 002A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A5515
CharNextW.USER32(00000158), ref: 002A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A55AC

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: cb1194069ff1ce5677b8786dd5fcaffa54bc7907f063ee026bf3f7427ca50ecb
Instruction ID: 1459b404b88d5c3c8dd8c0561917ff488526bb09532fa88e943a80ba97357adf
Opcode Fuzzy Hash: cb1194069ff1ce5677b8786dd5fcaffa54bc7907f063ee026bf3f7427ca50ecb
Instruction Fuzzy Hash: 8F616D3192462AEBDF10DF54DC849FF7BB9FB0B720F104145F525AA290DB748AA0DBA0

Function 0026FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0026FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0026FB08
VariantInit.OLEAUT32(?), ref: 0026FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0026FB3A
VariantCopy.OLEAUT32(?,?), ref: 0026FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0026FBA1
VariantClear.OLEAUT32(?), ref: 0026FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0026FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0026FBCC
VariantClear.OLEAUT32(?), ref: 0026FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0026FBE9

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0ca4e611059af8d381ffc4df092b227853ac9defa1784dfeec597f0c894eb253
Instruction ID: f6176c058c672953a182f85e9c5686fb3014296e8d137dcb91e2efd6982bd912
Opcode Fuzzy Hash: 0ca4e611059af8d381ffc4df092b227853ac9defa1784dfeec597f0c894eb253
Instruction Fuzzy Hash: C8415135A10219DFCF00DFA4E9589ADBBB9FF09344F108069E945A7261DB30A995CF90

Function 00279C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00279CA1
GetAsyncKeyState.USER32(000000A0), ref: 00279D22
GetKeyState.USER32(000000A0), ref: 00279D3D
GetAsyncKeyState.USER32(000000A1), ref: 00279D57
GetKeyState.USER32(000000A1), ref: 00279D6C
GetAsyncKeyState.USER32(00000011), ref: 00279D84
GetKeyState.USER32(00000011), ref: 00279D96
GetAsyncKeyState.USER32(00000012), ref: 00279DAE
GetKeyState.USER32(00000012), ref: 00279DC0
GetAsyncKeyState.USER32(0000005B), ref: 00279DD8
GetKeyState.USER32(0000005B), ref: 00279DEA

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fb0af0b3a145d51a4407e21b5a65b210b2dfe5dbf1277e4575afc9df2a3e3852
Instruction ID: da89b59996201b5d5eb237d5b9fa4a7dd4af823bd6723b97157e85be1524e0d6
Opcode Fuzzy Hash: fb0af0b3a145d51a4407e21b5a65b210b2dfe5dbf1277e4575afc9df2a3e3852
Instruction Fuzzy Hash: 5D41E8305147CB6AFF319F6484043B5BEA0AB17304F48C05FDACA565C2EBB499E4C792

Function 0029055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002905BC
inet_addr.WSOCK32(?), ref: 0029061C
gethostbyname.WSOCK32(?), ref: 00290628
IcmpCreateFile.IPHLPAPI ref: 00290636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002907B9
WSACleanup.WSOCK32 ref: 002907BF

Strings

Ping, xrefs: 00290676

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 11fee8cde29c12ae33ad0a110483239ae5d255396d4c3043369e9442873783aa
Instruction ID: c6536c9da98d8ccc89ed3e472faf70285106499003cccc57501644e57b1f05b6
Opcode Fuzzy Hash: 11fee8cde29c12ae33ad0a110483239ae5d255396d4c3043369e9442873783aa
Instruction Fuzzy Hash: 7B919E35614202AFDB20CF55D4C8F5ABBE4BF44328F1585A9E4698B6A2C770EC91CF91

Function 00298CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00298CF3

Part of subcall function 00278E54: _wcslen.LIBCMT ref: 00278E77

_wcslen.LIBCMT ref: 00298D4E
_wcslen.LIBCMT ref: 00298D9C
_wcslen.LIBCMT ref: 00298DDC
_wcslen.LIBCMT ref: 00298E6E

Strings

stdcall, xrefs: 00298DD6, 00298DDB
none, xrefs: 00298E65, 00298E6A
cdecl, xrefs: 00298D48, 00298D4D
winapi, xrefs: 00298D96, 00298D9B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 722097796cbcd356d7932a81e7365501c4a0b47ae5a592cc909d343c4b3e2db2
Instruction ID: 037b911ad17cb9d9222c1475ed8b5f26a07ee5ee7c6b0538cc1b382d152f2a07
Opcode Fuzzy Hash: 722097796cbcd356d7932a81e7365501c4a0b47ae5a592cc909d343c4b3e2db2
Instruction Fuzzy Hash: 7D51B031A201179BCF14DF68C8509BEB3A5BF66720B294229F466E72C4EB31DD60CBD0

Function 0029372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00293774
CoUninitialize.OLE32 ref: 0029377F
CoCreateInstance.OLE32(?,00000000,00000017,002AFB78,?), ref: 002937D9
IIDFromString.OLE32(?,?), ref: 0029384C
VariantInit.OLEAUT32(?), ref: 002938E4
VariantClear.OLEAUT32(?), ref: 00293936

Strings

NULL Pointer assignment, xrefs: 0029381E
Invalid parameter, xrefs: 00293865
Failed to create object, xrefs: 002937E4, 0029389A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 44792b02e2ebf8b233937e51cb6310568897db289978bd7a1e9db596f8263b3b
Instruction ID: d717d66a841554e87756c1a7869688efcd0f4402df6de1156c26f5a196b27368
Opcode Fuzzy Hash: 44792b02e2ebf8b233937e51cb6310568897db289978bd7a1e9db596f8263b3b
Instruction Fuzzy Hash: 8461AF70628301AFD711DF54D888BAABBE8FF49714F104819F9859B291D770EE58CB92

Function 00283388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002833CF

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002833F0

Strings

Line %d (File "%s"):, xrefs: 00283443, 0028345C
"%s" (%d) : ==> %s:, xrefs: 00283522
"%s" (%d) : ==> %s:%s%s, xrefs: 00283504
Error: , xrefs: 002834D1
Incorrect parameters to object property !, xrefs: 002834AB
^ ERROR , xrefs: 0028349E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: acf6c157e56cf00d6891a11e38c8e5d7521bd192c73c430dd84b99d7f52ed637
Instruction ID: 7a02e557a159019539d17d5e009abb0abdb79197739e1d24d2116955073dfdcd
Opcode Fuzzy Hash: acf6c157e56cf00d6891a11e38c8e5d7521bd192c73c430dd84b99d7f52ed637
Instruction Fuzzy Hash: 49518F71920209AADF14EBA0DD46EEEB3B9AF19740F104066F50572192EB352FF8DF60

Function 0027B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0027B5FC
_wcslen.LIBCMT ref: 0027B608
_wcslen.LIBCMT ref: 0027B64D
_wcslen.LIBCMT ref: 0027B68C
_wcslen.LIBCMT ref: 0027B6C7

Strings

KEYS, xrefs: 0027B647, 0027B64C
EXISTS, xrefs: 0027B686, 0027B68B
APPEND, xrefs: 0027B6C1, 0027B6C6
REMOVE, xrefs: 0027B602, 0027B607

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 7575b85b4969c2e14e6ce92ae128cea8eacab0111fd8dae11d4108fdf1b47140
Instruction ID: 5f233d3c2ea88e929d337c17eda6a6e11e4d5aaa1d3c3f12468195d37af15a30
Opcode Fuzzy Hash: 7575b85b4969c2e14e6ce92ae128cea8eacab0111fd8dae11d4108fdf1b47140
Instruction Fuzzy Hash: 3E41EC32A200279BCB116F7DC8907BEB7A9FF61754B248129E629D7284E735CDA1C790

Function 00285393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00285416
GetLastError.KERNEL32 ref: 00285420
SetErrorMode.KERNEL32(00000000,READY), ref: 002854A7

Strings

INVALID, xrefs: 00285459
READY, xrefs: 00285460, 00285468
UNKNOWN, xrefs: 00285444
NOTREADY, xrefs: 0028544B
READONLY, xrefs: 00285452

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 404d70c2d470ccb1ceac9fc28e764da4368c8612beaf6e01b9a8fe9ab5cdfe2b
Instruction ID: 2f42cba97a43a57ca04bc58c18194c10c7a81600b961a50d92069030cc746e98
Opcode Fuzzy Hash: 404d70c2d470ccb1ceac9fc28e764da4368c8612beaf6e01b9a8fe9ab5cdfe2b
Instruction Fuzzy Hash: 0F31C339A216159FD710EF68C488AAABBF4FF45305F148066E405CB3D2DB71DDA6CB90

Function 002A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 002A3C79
SetMenu.USER32(?,00000000), ref: 002A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A3D10
IsMenu.USER32(?), ref: 002A3D24
CreatePopupMenu.USER32 ref: 002A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002A3D5B
DrawMenuBar.USER32 ref: 002A3D63

Strings

F, xrefs: 002A3D4E
0, xrefs: 002A3C54

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 8c070940d22924112313d03428c8c351281b4f5998f51497e21367c3b78fb301
Instruction ID: 2943d90309d5d2fd83a27408bf37d54ea23e0edf77479103f2ef55a0a229c70e
Opcode Fuzzy Hash: 8c070940d22924112313d03428c8c351281b4f5998f51497e21367c3b78fb301
Instruction Fuzzy Hash: 09415E75A1160AEFDB14CF64E888ADA77B5FF4A350F140029F946A7360DB70AA20CF54

Function 00271EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 00273CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00273CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00271F64
GetDlgCtrlID.USER32 ref: 00271F6F
GetParent.USER32 ref: 00271F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00271F8E
GetDlgCtrlID.USER32(?), ref: 00271F97
GetParent.USER32(?), ref: 00271FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00271FAE

Strings

ComboBox, xrefs: 00271EEC
ListBox, xrefs: 00271F21

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 3f8df1fedb24a68559c4d3fb3ebc0dba6dbf10b4bb0cb927143c07d3cc1a9233
Instruction ID: 4750edd7586c12dc086dda35fab6037ac4e829cb02498df6fb22082e2935e669
Opcode Fuzzy Hash: 3f8df1fedb24a68559c4d3fb3ebc0dba6dbf10b4bb0cb927143c07d3cc1a9233
Instruction Fuzzy Hash: 9C21F270910214BBCF19EFA4DC85DEEBBB8EF16340B10411AF96563291CB744964DFA0

Function 002A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 002A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 002A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 002A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 002A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 002A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 002A3C13

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8379bf8367ca8009ec596d2cc7fac69d54b1afbadbb4ecda57274e71cedfca4b
Instruction ID: 7810b11c6c276b5c2d4796e260b46244d97ec9c7e08b3aa35e171b3f7aca132a
Opcode Fuzzy Hash: 8379bf8367ca8009ec596d2cc7fac69d54b1afbadbb4ecda57274e71cedfca4b
Instruction Fuzzy Hash: FF617C75910248AFDB10DF64CC85EEE77B9EB0A714F1000AAFA15A7291CB70AE65DF60

Function 0027B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0027B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B165
GetWindowThreadProcessId.USER32(00000000), ref: 0027B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0027B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B21D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3973b16c8e758c2e127850fe09b721588ebf2d06ad5ccef3713e8a8f6c44360e
Instruction ID: 2c901eec3646fb88692186d3117fc542baac676b1777228e82962cdfafffb2c1
Opcode Fuzzy Hash: 3973b16c8e758c2e127850fe09b721588ebf2d06ad5ccef3713e8a8f6c44360e
Instruction Fuzzy Hash: CD31CE71560209BFDB12DF24EC8CB6E7BADBB51312F208414FA08DB191DBB49E008F60

Function 00242C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00242C94

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 00242CA0
_free.LIBCMT ref: 00242CAB
_free.LIBCMT ref: 00242CB6
_free.LIBCMT ref: 00242CC1
_free.LIBCMT ref: 00242CCC
_free.LIBCMT ref: 00242CD7
_free.LIBCMT ref: 00242CE2
_free.LIBCMT ref: 00242CED
_free.LIBCMT ref: 00242CFB

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c71fedc430c6bcfc448280955b53a785ade35bd4cd94099dc1f19d89a163f597
Instruction ID: eea809b0cc66291a78e1f970bd6378901741b70bdb17fba240eb77d6c10369c6
Opcode Fuzzy Hash: c71fedc430c6bcfc448280955b53a785ade35bd4cd94099dc1f19d89a163f597
Instruction Fuzzy Hash: C811D776120108EFDB0AEF56D882CDD3BA5FF05350FA154A1F9489F222DA31EE649F90

Function 00287DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00287FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00287FC1
GetFileAttributesW.KERNEL32(?), ref: 00287FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00288005
SetCurrentDirectoryW.KERNEL32(?), ref: 00288017
SetCurrentDirectoryW.KERNEL32(?), ref: 00288060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002880B0

Strings

*.*, xrefs: 00288066

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: fa123b7ca42d376533033384c4897a34bd0c982bede7ab6560c980f3c94aa508
Instruction ID: e3d320c9f5182478c8983e5495de888dd8bf0a8e3bb0d96aeae18f2c64b9a57f
Opcode Fuzzy Hash: fa123b7ca42d376533033384c4897a34bd0c982bede7ab6560c980f3c94aa508
Instruction Fuzzy Hash: 0081B4765292019BCB20FF14C444AAEB3E8BF99310F644C5EF889D7290EB74ED65CB52

Function 00215BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00215C7A

Part of subcall function 00215D0A: GetClientRect.USER32(?,?), ref: 00215D30
Part of subcall function 00215D0A: GetWindowRect.USER32(?,?), ref: 00215D71
Part of subcall function 00215D0A: ScreenToClient.USER32(?,?), ref: 00215D99

GetDC.USER32 ref: 002546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00254708
SelectObject.GDI32(00000000,00000000), ref: 00254716
SelectObject.GDI32(00000000,00000000), ref: 0025472B
ReleaseDC.USER32(?,00000000), ref: 00254733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002547C4

Strings

U, xrefs: 00254693

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5a81cb21a6469bf9bdc9f7f58cea4ad8f7de1c97ebbe2cd00fd8b4641c292352
Instruction ID: 27929cc54f868a75d6fdf47aa757b8b22640f8756b21bde739e19c46335f8eb2
Opcode Fuzzy Hash: 5a81cb21a6469bf9bdc9f7f58cea4ad8f7de1c97ebbe2cd00fd8b4641c292352
Instruction Fuzzy Hash: 0E710434420206DFCF219F64C988AFABBB5FF8A32AF144266ED555A166C7308CE5DF50

Function 0028359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002835E4

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

LoadStringW.USER32(002E2390,?,00000FFF,?), ref: 0028360A

Strings

Line %d (File "%s"):, xrefs: 0028366B
"%s" (%d) : ==> %s:, xrefs: 00283742
^ ERROR, xrefs: 002836C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00283724
Error: , xrefs: 002836EF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 673a2aa1e3819ab5320e60ca8e90c3d67cdfc93964297bd1c04e229cf3d5f28f
Instruction ID: 98b4fa43ce8498514833782787af54bdb1df3d01f5a80b13daf492a67c03593a
Opcode Fuzzy Hash: 673a2aa1e3819ab5320e60ca8e90c3d67cdfc93964297bd1c04e229cf3d5f28f
Instruction Fuzzy Hash: DE517E7182021ABBDF14EBA0DC56EEDBBB9AF14700F144165F505721A1EB316AF8DFA0

Function 0028C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0028C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0028C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0028C2CA
GetLastError.KERNEL32 ref: 0028C322
SetEvent.KERNEL32(?), ref: 0028C336
InternetCloseHandle.WININET(00000000), ref: 0028C341

Strings

, xrefs: 0028C2BB

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 50f2ac6457385d75fb14a89481bd431812a9f9a93e3b1c4cf6e15828ba905874
Instruction ID: 9804872516586de4611a37524fc117a4f8070fbe06d929b7b67356fdec7116ae
Opcode Fuzzy Hash: 50f2ac6457385d75fb14a89481bd431812a9f9a93e3b1c4cf6e15828ba905874
Instruction Fuzzy Hash: C331A0B5521304AFD721AF649C88ABB7BFCEB49744F24855EF446D2280DB34DD158B70

Function 0027989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00253AAF,?,?,Bad directive syntax error,002ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002798BC
LoadStringW.USER32(00000000,?,00253AAF,?), ref: 002798C3

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00279987

Strings

Line %d (File "%s"):, xrefs: 0027992D
., xrefs: 0027996D
Error: , xrefs: 00279955
Line %d:, xrefs: 00279912
%s (%d) : ==> %s.: %s %s, xrefs: 002798F1

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 2ae0dfbf480be1256a13672bd557d8cea5b3c4fdc66460aa850af494d53b7568
Instruction ID: 4830e34df8532f16df6c3ae4d09b0c95d663d96a49f903012aa0813271b2d756
Opcode Fuzzy Hash: 2ae0dfbf480be1256a13672bd557d8cea5b3c4fdc66460aa850af494d53b7568
Instruction Fuzzy Hash: FA216F3182021AABDF11EF90CC0AEEE7775BF29704F044466F619620A1DA71AAB8DF50

Function 0027209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0027214D

Strings

list, xrefs: 0027212F
details, xrefs: 002720FB
largeicons, xrefs: 002720E1
smallicons, xrefs: 00272115
SHELLDLL_DefView, xrefs: 002720CC

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a54e8c57668178fe618a0f53269586cb17aa08ade22b8293f07674753c3372a7
Instruction ID: c817897e8d6673a4c98d478f42678a2aa4877db001d4428c1280e7314c8ec838
Opcode Fuzzy Hash: a54e8c57668178fe618a0f53269586cb17aa08ade22b8293f07674753c3372a7
Instruction Fuzzy Hash: 1F113A762B8317FAF6017620EC0ADA6339CEB06724F304017FB0CA40D2EEB16C355A14

Function 0024CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0024CEB7
_free.LIBCMT ref: 0024CF22
_free.LIBCMT ref: 0024CF48
_free.LIBCMT ref: 0024CF71
_free.LIBCMT ref: 0024CFA9
_free.LIBCMT ref: 0024CFDA
_free.LIBCMT ref: 0024D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0024D09C
_free.LIBCMT ref: 0024D0B5

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 3487c23f84424ae874d3047dd48f298dacf7d6573c0180d9d91e9c05055b1c7d
Instruction ID: 476647abcf2a1ae80c775624b67a74ba86af72bbe1b1599f1874fa7c4083f86a
Opcode Fuzzy Hash: 3487c23f84424ae874d3047dd48f298dacf7d6573c0180d9d91e9c05055b1c7d
Instruction Fuzzy Hash: 9D618A71925202AFDB2DAFB9ECC5A6D7B95EF01310F25016FF9009B241DB759C298BA0

Function 002A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 002A5186
ShowWindow.USER32(?,00000000), ref: 002A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002A51D1

Part of subcall function 002A6FBA: DeleteObject.GDI32(00000000), ref: 002A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 002A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 002A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 002A5296

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: aee1f175c63d25fe4187c3b4106ec19a8f7e1e2b5c4f988466c1463a29b1c4f8
Instruction ID: 1d3b0e9bc3c2652796329acdeff7ed6613ae9201834bec77bdc8d42c31aa4a7e
Opcode Fuzzy Hash: aee1f175c63d25fe4187c3b4106ec19a8f7e1e2b5c4f988466c1463a29b1c4f8
Instruction Fuzzy Hash: 2051B330A70A29BFEF249F24DC49BEA7B65EB06320F144011FA19962E1CF7599A0DF40

Function 00228B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00266890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00228874,00000000,00000000,00000000,000000FF,00000000), ref: 00266901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0026691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00228874,00000000,00000000,00000000,000000FF,00000000), ref: 0026692D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f0f865cd53de4b730209d1bafc95415dddbb14207f6184e9ddf8e1b7f1638b0b
Instruction ID: 8d36efa06e05671b39732c864bc495474f4ae5071d7fe535d41f6fd9881bdd92
Opcode Fuzzy Hash: f0f865cd53de4b730209d1bafc95415dddbb14207f6184e9ddf8e1b7f1638b0b
Instruction Fuzzy Hash: C0519B70620206EFDB20CF64EC99FAA7BB5EB58754F10452CF906D72A0DB70E9A0DB50

Function 0028C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0028C182
GetLastError.KERNEL32 ref: 0028C195
SetEvent.KERNEL32(?), ref: 0028C1A9

Part of subcall function 0028C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0028C272
Part of subcall function 0028C253: GetLastError.KERNEL32 ref: 0028C322
Part of subcall function 0028C253: SetEvent.KERNEL32(?), ref: 0028C336
Part of subcall function 0028C253: InternetCloseHandle.WININET(00000000), ref: 0028C341

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b489d932794907c3e4d5cbba88b157877c79ce5f5c42af101c7f3965ddd55a2a
Instruction ID: aa4b79d1e37300ad84ab0958fd749cbe2d99e71ca01805045c59f0857aec250c
Opcode Fuzzy Hash: b489d932794907c3e4d5cbba88b157877c79ce5f5c42af101c7f3965ddd55a2a
Instruction Fuzzy Hash: E5318275111701AFDB21AFB5EC48A66BBF8FF59300B24841EF95682694DB31E8249F70

Function 002725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00273A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00273A57
Part of subcall function 00273A3D: GetCurrentThreadId.KERNEL32 ref: 00273A5E
Part of subcall function 00273A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002725B3), ref: 00273A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00272601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00272605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0027260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00272623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00272627

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2e16f6f99e8a274efbb7df40fd70d704919c3e8be06fb3ca03cf3efc89cc9925
Instruction ID: 6fa91216b085378eb6f77a41b2ea8298adaeb3baa77f03c85c94998fdc43fdac
Opcode Fuzzy Hash: 2e16f6f99e8a274efbb7df40fd70d704919c3e8be06fb3ca03cf3efc89cc9925
Instruction Fuzzy Hash: D101B1317A0210BBFB10A768AC8EF593E59DB8AB12F204011F318AE0D1CDF224559E69

Function 00271803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00271449,?,?,00000000), ref: 0027180C
HeapAlloc.KERNEL32(00000000,?,00271449,?,?,00000000), ref: 00271813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00271449,?,?,00000000), ref: 00271828
GetCurrentProcess.KERNEL32(?,00000000,?,00271449,?,?,00000000), ref: 00271830
DuplicateHandle.KERNEL32(00000000,?,00271449,?,?,00000000), ref: 00271833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00271449,?,?,00000000), ref: 00271843
GetCurrentProcess.KERNEL32(00271449,00000000,?,00271449,?,?,00000000), ref: 0027184B
DuplicateHandle.KERNEL32(00000000,?,00271449,?,?,00000000), ref: 0027184E
CreateThread.KERNEL32(00000000,00000000,00271874,00000000,00000000,00000000), ref: 00271868

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 21d01cf78d86c8a15184691902e025fe660c0070a26b06d07f9ea3cc88baf7b2
Instruction ID: c4bed47fdf01e8593b838b3626b56e3cb459327b3d905a01ef38217c8ad30245
Opcode Fuzzy Hash: 21d01cf78d86c8a15184691902e025fe660c0070a26b06d07f9ea3cc88baf7b2
Instruction Fuzzy Hash: 3801BF75340304BFE710ABA5EC4DF573BACEB8AB11F104411FA05DB191DE709810CB20

Function 00243E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00243F0B
__alldvrm.LIBCMT ref: 0024410C
__alldvrm.LIBCMT ref: 0024412E

Strings

}}#, xrefs: 00243E96, 00243EF1, 00243F0A, 00244090
}}#, xrefs: 002440CD
}}#, xrefs: 00243E8A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}#$}}#$}}#
API String ID: 1036877536-1814773113
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: c3bef9a082d4673484bc454deae5f66d76b8a4bc940783d81045561612d9a9bd
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: B4A15871E303869FEB2DDF18C8917AEBBF4EF61350F14416EE9899B281C2748965CB50

Function 0029A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0027D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0027D501
Part of subcall function 0027D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0027D50F
Part of subcall function 0027D4DC: CloseHandle.KERNELBASE(00000000), ref: 0027D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029A16D
GetLastError.KERNEL32 ref: 0029A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0029A268
GetLastError.KERNEL32(00000000), ref: 0029A273
CloseHandle.KERNEL32(00000000), ref: 0029A2C4

Strings

SeDebugPrivilege, xrefs: 0029A18F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 094516099e7b9e857f7f5b30db3e5720108f387a52ca1a69b58a66e2cf7209d4
Instruction ID: b13d53dc7bb79f29d6647d9e0b8023f617c194e97087ab7c8b93999475257a87
Opcode Fuzzy Hash: 094516099e7b9e857f7f5b30db3e5720108f387a52ca1a69b58a66e2cf7209d4
Instruction Fuzzy Hash: 06616E306143429FDB10DF18C494F55BBE1AF54318F14849CE46A4B7A2CB76EC55CBD2

Function 002A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 002A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002A3954
_wcslen.LIBCMT ref: 002A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002A39F4

Strings

SysListView32, xrefs: 002A38F7

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 38b03229406136ed497e8aadcd0b2c11da9a068b9494a554be954712f4a054e2
Instruction ID: 336350d6e5077e1268e94b3ff17c1cd9a36af096acd0069ccec74f4a09521028
Opcode Fuzzy Hash: 38b03229406136ed497e8aadcd0b2c11da9a068b9494a554be954712f4a054e2
Instruction Fuzzy Hash: 5A41C571A10219ABEB21DF64CC49BEA77A9EF09350F100526F948E7281DB759DA4CB90

Function 0027BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0027BCFD
IsMenu.USER32(00000000), ref: 0027BD1D
CreatePopupMenu.USER32 ref: 0027BD53
GetMenuItemCount.USER32(01726DB8), ref: 0027BDA4
InsertMenuItemW.USER32(01726DB8,?,00000001,00000030), ref: 0027BDCC

Strings

2, xrefs: 0027BD37
0, xrefs: 0027BCA8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 6acf95b416c702748d17f304f5d5f3078cf2feca5889525cd8c7c07ce63353a0
Instruction ID: 232cf1df33c440b3fc236fc7f77358809c739970ddb118dc30fdc0a2fc0c9ad1
Opcode Fuzzy Hash: 6acf95b416c702748d17f304f5d5f3078cf2feca5889525cd8c7c07ce63353a0
Instruction Fuzzy Hash: 2B519170A102069FDF22CFA8D888BAEBBF4BF46314F24C159F419E7291E7709965CB51

Function 00232D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00232D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00232D53
_ValidateLocalCookies.LIBCMT ref: 00232DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00232E0C
_ValidateLocalCookies.LIBCMT ref: 00232E61

Strings

csm, xrefs: 00232DF6
&H#, xrefs: 00232DFE, 00232E07, 00232E18

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H#$csm
API String ID: 1170836740-98951210
Opcode ID: 7d5947761b4c4a3e2a29ec450276a8016e24f6def44634d0ce293af4d2009186
Instruction ID: 588a6868b0e7843ded3a1eedbdee14006cf7fccfbb3c672c23b648a0af5e84c3
Opcode Fuzzy Hash: 7d5947761b4c4a3e2a29ec450276a8016e24f6def44634d0ce293af4d2009186
Instruction Fuzzy Hash: 1141B5B4A2020DEBCF10DF68C845A9EBBB5BF45315F148156E815AB392D731EA29CFD0

Function 0027C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0027C913

Strings

question, xrefs: 0027C8CC
warning, xrefs: 0027C8FC
info, xrefs: 0027C8B4
stop, xrefs: 0027C8E4
blank, xrefs: 0027C895

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fed24a9f0546e549119a30079a8171860341028dabb31a2b73e096a9beb63332
Instruction ID: 4395393eba585eb737826c4316384504fbef8517adadfce66496d8606fc3878d
Opcode Fuzzy Hash: fed24a9f0546e549119a30079a8171860341028dabb31a2b73e096a9beb63332
Instruction Fuzzy Hash: 8711EB316B930BFBA7016F64DC82DFAA79CDF16354B30406FFA08A6382D7B06D205665

Function 0027DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0027DE42
gethostname.WSOCK32(?,00000100), ref: 0027DE5C
gethostbyname.WSOCK32(?), ref: 0027DE69
inet_ntoa.WSOCK32(?), ref: 0027DEAB
_strcat.LIBCMT ref: 0027DEB9
WSACleanup.WSOCK32 ref: 0027DEDE

Strings

0.0.0.0, xrefs: 0027DE87

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 8ea3af9bf76f0c30bc5254d5e4dae3de7d1f8115d63bda05d558aa8bfe852ea0
Instruction ID: 074d68d0673de7a3659461c01d07ee70ba4aca2eb3805a8462987651bd0bb34f
Opcode Fuzzy Hash: 8ea3af9bf76f0c30bc5254d5e4dae3de7d1f8115d63bda05d558aa8bfe852ea0
Instruction Fuzzy Hash: D7115971920115AFCB21BF70EC0AEEF77BCDF16320F1041AAF00996091EF709AA08E60

Function 002A9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

GetSystemMetrics.USER32(0000000F), ref: 002A9FC7
GetSystemMetrics.USER32(0000000F), ref: 002A9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 002AA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002AA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002AA263
ShowWindow.USER32(00000003,00000000), ref: 002AA282
InvalidateRect.USER32(?,00000000,00000001), ref: 002AA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 002AA2CA

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: eebf073eaf350755951a8d482dcd15141ff505c8ec3bb780f4c9f2b2046cc7be
Instruction ID: 7af26d68b7009cea967d140ec231e8b3e163ec69784ccbc699039d7ec9ffa923
Opcode Fuzzy Hash: eebf073eaf350755951a8d482dcd15141ff505c8ec3bb780f4c9f2b2046cc7be
Instruction Fuzzy Hash: C3B19D31610216EFDF14CF68C9C57AE7BB2FF4A701F188069EC49AB295DB31A960CB51

Function 0027ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0027ED2A
_wcslen.LIBCMT ref: 0027ED3B
_wcslen.LIBCMT ref: 0027ED79
_wcslen.LIBCMT ref: 0027EDAF
_wcslen.LIBCMT ref: 0027EDDF
_wcslen.LIBCMT ref: 0027EDEF
_wcslen.LIBCMT ref: 0027EE2B
_wcslen.LIBCMT ref: 0027EE5A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4a63d7f2873d641925c3e9edc4ab72401004e401e3b784dcc996226ba96164e7
Instruction ID: af112018266f63c60a2535f5c8ff93501216b2e3d2f46ecdd413e34c087d4faa
Opcode Fuzzy Hash: 4a63d7f2873d641925c3e9edc4ab72401004e401e3b784dcc996226ba96164e7
Instruction Fuzzy Hash: B9418AA5C2111876CB11FBF4888AACF77ACAF49710F518593F918E3112FB34E265C7A5

Function 0022F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0026682C,00000004,00000000,00000000), ref: 0022F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0026682C,00000004,00000000,00000000), ref: 0026F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0026682C,00000004,00000000,00000000), ref: 0026F454

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 99603524ee6b670e9f2f4eff829a29cb54c9d23cbc5985cc470576ab420b3abd
Instruction ID: 6c751888a2269474ec83eb58e81b56c1c330deb2e3a009c0caee6d950d8a0ecf
Opcode Fuzzy Hash: 99603524ee6b670e9f2f4eff829a29cb54c9d23cbc5985cc470576ab420b3abd
Instruction Fuzzy Hash: 03414A316382D1BBCBB88F69BB8C72A7BB5AB46314F54443CE04756660DA71A8F0CB10

Function 002A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002A2D1B
GetDC.USER32(00000000), ref: 002A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 002A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 002A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002A2DE1

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: fef4013b8fcc33ddd3341ec4aeb475c7e85e697776b3addf528a336dbac92f91
Instruction ID: e9adbc59af46f9306f6a7c3fd12602b9a77583ff2420727f5fe0ff66a60ac3d6
Opcode Fuzzy Hash: fef4013b8fcc33ddd3341ec4aeb475c7e85e697776b3addf528a336dbac92f91
Instruction Fuzzy Hash: 0B31CE72211610BFEB158F14DC8AFEB3FADEF4A711F044055FE089A291CA758C50CBA0

Function 00275622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00275637
_memcmp.LIBVCRUNTIME ref: 00275659
_memcmp.LIBVCRUNTIME ref: 00275671
_memcmp.LIBVCRUNTIME ref: 00275684
_memcmp.LIBVCRUNTIME ref: 0027569E
_memcmp.LIBVCRUNTIME ref: 002756B1
_memcmp.LIBVCRUNTIME ref: 002756C9
_memcmp.LIBVCRUNTIME ref: 002756E4

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 83aa021161bc98a0373fafcd22c20ee6aa5705318be48988d5ec01059f93c0a9
Instruction ID: fe07817dfa7f024de866226c3e7c45ea80e32ae10e479956bd6d5326be6a9454
Opcode Fuzzy Hash: 83aa021161bc98a0373fafcd22c20ee6aa5705318be48988d5ec01059f93c0a9
Instruction Fuzzy Hash: 36212CA1670A2A77D21899118E82FFAB36DAF12394F448021FD0C9A545FBF4EE3085E5

Function 00294FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0029502E, 00295383
Not an Object type, xrefs: 00295007

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7cc456a51bf8e2d499c7c91e954d9c2cde6b5200bf965c7adf0f3bcd7e649032
Instruction ID: 40d01edd8230f04f071123f8c5be59648c07a58bcf6fd0d823b20ae9f5898a89
Opcode Fuzzy Hash: 7cc456a51bf8e2d499c7c91e954d9c2cde6b5200bf965c7adf0f3bcd7e649032
Instruction Fuzzy Hash: BAD1C271B1061A9FDF11CFA8C881BAEB7B5FF48344F148069E919AB281E770DD55CB90

Function 00251522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 002515CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00251651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002516E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 002516FB

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00251777
__freea.LIBCMT ref: 002517A2
__freea.LIBCMT ref: 002517AE

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d693ef0602c2a7642af77713a8c07fc0c5af47293b8b7d8b82d765cefaa8483f
Instruction ID: 09d6e92d7f552e69288a2c3e0be6dad69ce6127cc3e1a598de3c048f9031156e
Opcode Fuzzy Hash: d693ef0602c2a7642af77713a8c07fc0c5af47293b8b7d8b82d765cefaa8483f
Instruction Fuzzy Hash: 7091C671E202169ADF248E78CC81BEEBBB59F49311F580659EC05E7181EB35DC78CB68

Function 00294523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00294648
VariantInit.OLEAUT32(?), ref: 00294749
VariantClear.OLEAUT32(?), ref: 00294753
VariantClear.OLEAUT32(?), ref: 002947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0029472C
Null Object assignment in FOR..IN loop, xrefs: 002945D8, 00294706, 002947BE

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a253b77926ac1f0bd72f90962d03b193afae602a1f4507b9f0baca7f99182e88
Instruction ID: eb650aad4da6aee393e1fc847c58cd5ed82536b68269c3e93047107360489afc
Opcode Fuzzy Hash: a253b77926ac1f0bd72f90962d03b193afae602a1f4507b9f0baca7f99182e88
Instruction Fuzzy Hash: BA91A471A20219ABDF24DFA4DC84FEEBBB8EF46714F108559F505AB280D7709952CFA0

Function 00281187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0028125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00281284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0028135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00281430

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: e120bd566853d6fcd3f2f9a297b1e98e1f8fbadd82740e75066e994a0069432c
Instruction ID: 254a38089c40eeb42d02e0ff46d436fcfa01a97451f9ef98b7f77beae060f786
Opcode Fuzzy Hash: e120bd566853d6fcd3f2f9a297b1e98e1f8fbadd82740e75066e994a0069432c
Instruction Fuzzy Hash: D091D079A21219AFEB00AF94D884BBE77B9FF45315F104029E900E72D1D774A976CF90

Function 0022948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0acbdb421a7f586876e83f3ae7d720480b9339fb9ee9eff1bec452f84bd2c503
Instruction ID: 552b5d3bdef2879795870d8551eb28775e0f2fa69f024661f075359fe4840858
Opcode Fuzzy Hash: 0acbdb421a7f586876e83f3ae7d720480b9339fb9ee9eff1bec452f84bd2c503
Instruction Fuzzy Hash: 04911671E1021AAFCB10CFE9D884AEEBBB8FF49320F144155E515B7251D678A9A1CF60

Function 00293947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0029396B
CharUpperBuffW.USER32(?,?), ref: 00293A7A
_wcslen.LIBCMT ref: 00293A8A
VariantClear.OLEAUT32(?), ref: 00293C1F

Part of subcall function 00280CDF: VariantInit.OLEAUT32(00000000), ref: 00280D1F
Part of subcall function 00280CDF: VariantCopy.OLEAUT32(?,?), ref: 00280D28
Part of subcall function 00280CDF: VariantClear.OLEAUT32(?), ref: 00280D34

Strings

Incorrect Parameter format, xrefs: 002939A6, 00293BA1
AUTOIT.ERROR, xrefs: 00293A80, 00293A85

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 330d05ab4913cc5ec34489a3316dfeda4d3f3519df425c2928b56e03cd66cf41
Instruction ID: e37a524a019c589960e36c784d6361d656f36b7907e021e7b7d6be0c4c3a9fee
Opcode Fuzzy Hash: 330d05ab4913cc5ec34489a3316dfeda4d3f3519df425c2928b56e03cd66cf41
Instruction Fuzzy Hash: 229145756283059FCB00EF64C49096AB7E5BF89314F14886EF88A9B351DB30EE55CF92

Function 00294BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0027000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?,?,0027035E), ref: 0027002B
Part of subcall function 0027000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270046
Part of subcall function 0027000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270054
Part of subcall function 0027000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?), ref: 00270064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00294C51
_wcslen.LIBCMT ref: 00294D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00294DCF
CoTaskMemFree.OLE32(?), ref: 00294DDA

Strings

NULL Pointer assignment, xrefs: 00294E23, 00294E52

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c5256cf3a9feed9e633dfe4b735744eae0543ef081582fc04f137023feb890ae
Instruction ID: c4ab20b70c7ebaf824f1004e489ce3c4f4507563522b0481d37f189ec3c709e9
Opcode Fuzzy Hash: c5256cf3a9feed9e633dfe4b735744eae0543ef081582fc04f137023feb890ae
Instruction Fuzzy Hash: B9913871D1021DAFDF14EFA4C891EEEB7B8BF08304F10816AE919A7251DB309A55CFA0

Function 002A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002A2183
GetMenuItemCount.USER32(00000000), ref: 002A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002A21DD
_wcslen.LIBCMT ref: 002A2213
GetMenuItemID.USER32(?,?), ref: 002A224D
GetSubMenu.USER32(?,?), ref: 002A225B

Part of subcall function 00273A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00273A57
Part of subcall function 00273A3D: GetCurrentThreadId.KERNEL32 ref: 00273A5E
Part of subcall function 00273A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002725B3), ref: 00273A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002A22E3

Part of subcall function 0027E97B: Sleep.KERNEL32 ref: 0027E9F3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: f0c3a44240337e4a13d7dd211af6ca21aef0aee12fa40a7e52af4891bb4353e3
Instruction ID: 9821dc25f5621b68340cc197067f4f2d455e340772dade8fba091bc18a2d2761
Opcode Fuzzy Hash: f0c3a44240337e4a13d7dd211af6ca21aef0aee12fa40a7e52af4891bb4353e3
Instruction Fuzzy Hash: B4718E75A20205EFCB10DFA8C845AAEB7F5EF89310F108499E916EB351DB34ED558F90

Function 002A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01726B88), ref: 002A7F37
IsWindowEnabled.USER32(01726B88), ref: 002A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 002A801E
SendMessageW.USER32(01726B88,000000B0,?,?), ref: 002A8051
IsDlgButtonChecked.USER32(?,?), ref: 002A8089
GetWindowLongW.USER32(01726B88,000000EC), ref: 002A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002A80C3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 8417fe09f4965171929b671aff440fd8de25f6df99ab09e8fbe9b45ed6bce02e
Instruction ID: d7c5a6fbe1c22203ced19f0e2f7520947cf30cedfec9bd528b16a14f8cb6537d
Opcode Fuzzy Hash: 8417fe09f4965171929b671aff440fd8de25f6df99ab09e8fbe9b45ed6bce02e
Instruction Fuzzy Hash: 9A71A034628205AFEB25DF54CC94FAABBB9EF4B300F14445AE94597261CF31A964CF14

Function 0027AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0027AEF9
GetKeyboardState.USER32(?), ref: 0027AF0E
SetKeyboardState.USER32(?), ref: 0027AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0027AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0027AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0027AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0027B020

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a4ccdf16cc7675fe8b1a7ca0bcee6aedef151460f3e0495dbc40f21523be89d9
Instruction ID: 5ced176a8a424931cbb77ef887358f5291644e80acaad4ee7bf7ff6d4a97474c
Opcode Fuzzy Hash: a4ccdf16cc7675fe8b1a7ca0bcee6aedef151460f3e0495dbc40f21523be89d9
Instruction Fuzzy Hash: 7151E5A09243D23DFB3746348845BBB7E995B46314F08C589E1DD858C2C3A998E4D752

Function 0027ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0027AD19
GetKeyboardState.USER32(?), ref: 0027AD2E
SetKeyboardState.USER32(?), ref: 0027AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0027ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0027ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0027AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0027AE38

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8fec7f90d36d57d2e732b4a12d90e438e6557c778fd86480196676b2cb1971c1
Instruction ID: e4c0ceb6dd602218ba96db255ac7fdf71b34e146c160a41181c0ec711e83b14c
Opcode Fuzzy Hash: 8fec7f90d36d57d2e732b4a12d90e438e6557c778fd86480196676b2cb1971c1
Instruction Fuzzy Hash: 8C51E6A19247D23EFB378B248C45B7E7E985B86310F08C498E0DD468C3C6B4ECA4D752

Function 0024542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00253CD6,?,?,?,?,?,?,?,?,00245BA3,?,?,00253CD6,?,?), ref: 00245470
__fassign.LIBCMT ref: 002454EB
__fassign.LIBCMT ref: 00245506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00253CD6,00000005,00000000,00000000), ref: 0024552C
WriteFile.KERNEL32(?,00253CD6,00000000,00245BA3,00000000,?,?,?,?,?,?,?,?,?,00245BA3,?), ref: 0024554B
WriteFile.KERNEL32(?,?,00000001,00245BA3,00000000,?,?,?,?,?,?,?,?,?,00245BA3,?), ref: 00245584

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 90c86d7da5737bf70c82514a393503c4f06d6cab38bc973a3f4566c93399eac3
Instruction ID: afc24ad09da0fabbfcb92835f9e50ebd3dd221f93a2e04a6fdf92524668d4dc2
Opcode Fuzzy Hash: 90c86d7da5737bf70c82514a393503c4f06d6cab38bc973a3f4566c93399eac3
Instruction Fuzzy Hash: 6B5103B0A10649AFDB15CFA8D885AEEBBF9EF09300F14401AF585E7292D7709A51CF60

Function 002910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029304E: inet_addr.WSOCK32(?), ref: 0029307A
Part of subcall function 0029304E: _wcslen.LIBCMT ref: 0029309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00291112
WSAGetLastError.WSOCK32 ref: 00291121
WSAGetLastError.WSOCK32 ref: 002911C9
closesocket.WSOCK32(00000000), ref: 002911F9

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 0c65e6228be78060b5ba8d775ca571530e87204f961ccbb937e42504004a8c95
Instruction ID: 6f23f9ed1f3d5518eb6ca7da3d9e1b5f60dd8fb81722cbcc6890e795399570a7
Opcode Fuzzy Hash: 0c65e6228be78060b5ba8d775ca571530e87204f961ccbb937e42504004a8c95
Instruction Fuzzy Hash: 1641F431610206AFDB109F15D888BA9BBE9FF45324F248059FD199B291CB74EDA1CFE0

Function 0027CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0027CF22,?), ref: 0027DDFD

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0027CF22,?), ref: 0027DE16

lstrcmpiW.KERNEL32(?,?), ref: 0027CF45
MoveFileW.KERNEL32(?,?), ref: 0027CF7F
_wcslen.LIBCMT ref: 0027D005
_wcslen.LIBCMT ref: 0027D01B
SHFileOperationW.SHELL32(?), ref: 0027D061

Strings

\*.*, xrefs: 0027CFF3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 4cecb8ab323c4226ca60929c9ceceb0f9521dbd5eccb52d5704ba33979f64882
Instruction ID: 531a4f69491d60919d8edfabd88a29090fc2fd18f233badf67988eb3e0ed4b22
Opcode Fuzzy Hash: 4cecb8ab323c4226ca60929c9ceceb0f9521dbd5eccb52d5704ba33979f64882
Instruction Fuzzy Hash: 5B4198718152195FDF12EFB4C981BDDB7B8AF09340F1040E6E50DE7141EA34AA94CF50

Function 002A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 002A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 002A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 002A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 002A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A2F0B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 41e68ef44e226605dde86f651530011c47c435fc9e7807514cd3bbd323718433
Instruction ID: caed1071d729cf2d7b9616a6ca27bb0ffba8113708ae4efe36e20bf755470caa
Opcode Fuzzy Hash: 41e68ef44e226605dde86f651530011c47c435fc9e7807514cd3bbd323718433
Instruction Fuzzy Hash: 6731E230654151EFDB25CF5CED88F6537E5EB8AB10F150164F9049F2A2CB71B8A8DB41

Function 00277726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00277769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0027778F
SysAllocString.OLEAUT32(00000000), ref: 00277792
SysAllocString.OLEAUT32(?), ref: 002777B0
SysFreeString.OLEAUT32(?), ref: 002777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002777DE
SysAllocString.OLEAUT32(?), ref: 002777EC

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 73feba76da8af4477a679b2ebe80b1684d29cf02b778b6c6ff0d0042f19d5d45
Instruction ID: f427060448ad05bc5bc4c39acd9687d7c7be4eb64b908d39f2cfc6b5ed825204
Opcode Fuzzy Hash: 73feba76da8af4477a679b2ebe80b1684d29cf02b778b6c6ff0d0042f19d5d45
Instruction Fuzzy Hash: BA21C476614219AFDF14EFA8DC88CBBB7ECEB0A3647108025F908DB150DA70DC418B64

Function 002777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00277842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00277868
SysAllocString.OLEAUT32(00000000), ref: 0027786B
SysAllocString.OLEAUT32 ref: 0027788C
SysFreeString.OLEAUT32 ref: 00277895
StringFromGUID2.OLE32(?,?,00000028), ref: 002778AF
SysAllocString.OLEAUT32(?), ref: 002778BD

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 16c391075b070e3419eb2bba6bb4871346640cc0e59d3731bbfbc43920b6d109
Instruction ID: 0127463a3219481e88ce657d375bdc5db2080b60476e7ab89a1476dbe9859dff
Opcode Fuzzy Hash: 16c391075b070e3419eb2bba6bb4871346640cc0e59d3731bbfbc43920b6d109
Instruction Fuzzy Hash: B7219D31619205AFDB10AFA8EC8CDBA77ECEB093607108125F919CB2A1DA70DC51DB65

Function 002804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0028052E

Strings

nul, xrefs: 00280567

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3092796d825a06032e0fcf0038583961083a1dd765b6f91c1087b901ca2df14b
Instruction ID: 0323d507b6bb36837dab14ac5b01f4cf7a553812f1eb9345e0733316c2b50298
Opcode Fuzzy Hash: 3092796d825a06032e0fcf0038583961083a1dd765b6f91c1087b901ca2df14b
Instruction Fuzzy Hash: 0E21A5795113069FCB20AF29EC84A5A77E4BF45720F604A19F8A1D21E0D7749968CF30

Function 002805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00280601

Strings

nul, xrefs: 00280639

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b555ba6996a7fb7a451d46ec0feb29eaec7d7696f2648b42ec1f96a70818e942
Instruction ID: 89aa3f1dc1e44795ac0b89f338f8cc527524b79a1a7e3b14285eeff93526eb68
Opcode Fuzzy Hash: b555ba6996a7fb7a451d46ec0feb29eaec7d7696f2648b42ec1f96a70818e942
Instruction Fuzzy Hash: DD21B7395113169FDB60AF68DC84A5A77E8BF85720F200B19FCA1D32D0EBB09874CB10

Function 002A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0021604C
Part of subcall function 0021600E: GetStockObject.GDI32(00000011), ref: 00216060
Part of subcall function 0021600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0021606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002A4145

Strings

Msctls_Progress32, xrefs: 002A40E3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 51ba8009c1f34cad59c3d6457efc44dd19cf0db3b0cc3abf152a8d4b3a8aec26
Instruction ID: 6d8702635ba75fd8d26e82f2de77d40b672d877f26ed0ff20a89703f79ade25c
Opcode Fuzzy Hash: 51ba8009c1f34cad59c3d6457efc44dd19cf0db3b0cc3abf152a8d4b3a8aec26
Instruction Fuzzy Hash: CA11B2B215021ABFEF119F64CC85EE77F9DEF09798F004111BA18A6150CAB2DC61DBA4

Function 0024D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0024D7A3: _free.LIBCMT ref: 0024D7CC

_free.LIBCMT ref: 0024D82D

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 0024D838
_free.LIBCMT ref: 0024D843
_free.LIBCMT ref: 0024D897
_free.LIBCMT ref: 0024D8A2
_free.LIBCMT ref: 0024D8AD
_free.LIBCMT ref: 0024D8B8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 8fc96857f7ecb59ef4652d1aeaab4679ca90e73d920aec9bd5a62ee6181de18f
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 6D115171560B04EBE925BFB1CC47FCBBBDC6F00700F800825B299A6192DA75B5254E50

Function 0027DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0027DA74
LoadStringW.USER32(00000000), ref: 0027DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0027DA91
LoadStringW.USER32(00000000), ref: 0027DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0027DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0027DAB9

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: fecbcf32a50df63ab43b860cb683f70e84ea1fd296ec6fa944d429fd2d5f5305
Instruction ID: 8915d025f1d02bd07b999391fcf445635c3302120ee8d33582042f4a5e8d5655
Opcode Fuzzy Hash: fecbcf32a50df63ab43b860cb683f70e84ea1fd296ec6fa944d429fd2d5f5305
Instruction Fuzzy Hash: 6D0162F29102087FE710DBA4AD8DEE7736CEB09701F504496B74AE2141EA749E844F74

Function 0028096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0171E978,0171E978), ref: 0028097B
EnterCriticalSection.KERNEL32(0171E958,00000000), ref: 0028098D
TerminateThread.KERNEL32(?,000001F6), ref: 0028099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 002809A9
CloseHandle.KERNEL32(?), ref: 002809B8
InterlockedExchange.KERNEL32(0171E978,000001F6), ref: 002809C8
LeaveCriticalSection.KERNEL32(0171E958), ref: 002809CF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e83b34eb3a7dd42124b94ed260005c7cd082d2ff19987743640ed1163a383e8c
Instruction ID: 300b62fbd328095c5746105533add763bae24ad30333c593c0c32366d6e38aa0
Opcode Fuzzy Hash: e83b34eb3a7dd42124b94ed260005c7cd082d2ff19987743640ed1163a383e8c
Instruction Fuzzy Hash: 31F0C932542A12FBD7516FA4EE8DBD6BA29FF06702F502025F602908A1DF75A875CF90

Function 00215D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00215D30
GetWindowRect.USER32(?,?), ref: 00215D71
ScreenToClient.USER32(?,?), ref: 00215D99
GetClientRect.USER32(?,?), ref: 00215ED7
GetWindowRect.USER32(?,?), ref: 00215EF8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 0978f0b703b127ffce8ca3f04b9360e6a4a1868a371fd7231758a367ddb51b6e
Instruction ID: bafd71cc79f819cad3379cadd2b418980a40e6025533580eb8b4601d0949bb8e
Opcode Fuzzy Hash: 0978f0b703b127ffce8ca3f04b9360e6a4a1868a371fd7231758a367ddb51b6e
Instruction Fuzzy Hash: 8BB17C34A2074ADBDB10DFA8C4447EEB7F1FF54314F14841AE8A9D7250DB30AAA1DB54

Function 002401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002400D6
__allrem.LIBCMT ref: 002400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0024010B
__allrem.LIBCMT ref: 00240122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00240140

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 37cb75cf08a1997f6f9ec1bb4f9f56f0988deb3ae52fc467730a73c58462c78e
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 788149B2A207029BE728AF79DC81B6B73E8AF41724F24453AF915D76C1E770D9608F50

Function 00291D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00293149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00293195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00291DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00291DE1
WSAGetLastError.WSOCK32 ref: 00291DF2
inet_ntoa.WSOCK32(?), ref: 00291E8C
htons.WSOCK32(?), ref: 00291EDB
_strlen.LIBCMT ref: 00291F35

Part of subcall function 002739E8: _strlen.LIBCMT ref: 002739F2

Part of subcall function 00216D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0022CF58,?,?,?), ref: 00216DBA
Part of subcall function 00216D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0022CF58,?,?,?), ref: 00216DED

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 359973739f1729d8cff879e22ff4d5af8044c788a77a3c573b5eb0170e598f60
Instruction ID: 6b4cbc7a7e2afc840eee51366292224516eb002f7092ac03efc74a174de8b4e9
Opcode Fuzzy Hash: 359973739f1729d8cff879e22ff4d5af8044c788a77a3c573b5eb0170e598f60
Instruction Fuzzy Hash: DAA12431114302AFC724DF21C885F6AB7E5AF94318F54895CF4565B2E2CB71EDA2CB91

Function 002461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002382D9,002382D9,?,?,?,0024644F,00000001,00000001,8BE85006), ref: 00246258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0024644F,00000001,00000001,8BE85006,?,?,?), ref: 002462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002463D8
__freea.LIBCMT ref: 002463E5

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

__freea.LIBCMT ref: 002463EE
__freea.LIBCMT ref: 00246413

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 778340c3ada2949e4ae9eea0100fb1758077aae92e6b125d8705f84a8a3fd195
Instruction ID: 2ce221695e6dd40d9fd67c67914a89e615e6e5cf85851ff9874241b5d35e8d8a
Opcode Fuzzy Hash: 778340c3ada2949e4ae9eea0100fb1758077aae92e6b125d8705f84a8a3fd195
Instruction Fuzzy Hash: E4513772620207ABDB2D8FA0CC89EAF7BA9EF46B10F144269FC05D6140DB74DC60CA61

Function 0029BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 0029C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029B6AE,?,?), ref: 0029C9B5
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029C9F1
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA68
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0029BD25
RegCloseKey.ADVAPI32(00000000), ref: 0029BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0029BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0029BDF3
RegCloseKey.ADVAPI32(?), ref: 0029BDFF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a7c244c10eedae0fbf909de51e31da2c720dba177f1f160ab34b7ad2ff2fe7d8
Instruction ID: 2a78c7467fcfd44c0748f1124794638b8a0bdc47c987b44ca5c73edf4bf7236f
Opcode Fuzzy Hash: a7c244c10eedae0fbf909de51e31da2c720dba177f1f160ab34b7ad2ff2fe7d8
Instruction Fuzzy Hash: FE81BE30228241AFCB15DF24D985E6ABBE5FF85308F14846DF4994B2A2CB31ED55CF92

Function 0026F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0026F7B9
SysAllocString.OLEAUT32(00000001), ref: 0026F860
VariantCopy.OLEAUT32(0026FA64,00000000), ref: 0026F889
VariantClear.OLEAUT32(0026FA64), ref: 0026F8AD
VariantCopy.OLEAUT32(0026FA64,00000000), ref: 0026F8B1
VariantClear.OLEAUT32(?), ref: 0026F8BB

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3e7c5733dfbadc349b9a92de494062558e5bee9bc6dd1af8c33943c084848196
Instruction ID: c0195f37c157b697d4a3954fc8fc8577827dbbcabbce01caa0b2b3353d8e7894
Opcode Fuzzy Hash: 3e7c5733dfbadc349b9a92de494062558e5bee9bc6dd1af8c33943c084848196
Instruction Fuzzy Hash: 3851D531631310BACF90AF65F995B29B3E8EF55310B208466E905DF291DBB08CE0CB96

Function 0028910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002894E5
_wcslen.LIBCMT ref: 00289506
_wcslen.LIBCMT ref: 0028952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00289585

Strings

X, xrefs: 00289412

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b7bcd1cb88bb8a66637ee4aba48cddd69e2136c50c5aa1050e386274309552d4
Instruction ID: 0c8904f7a558c382974330194a4b26483aed4276ee7537707d1b977ebaa1f0b3
Opcode Fuzzy Hash: b7bcd1cb88bb8a66637ee4aba48cddd69e2136c50c5aa1050e386274309552d4
Instruction Fuzzy Hash: C0E1D4345243419FD714EF24C881AAEB7E5BF94314F08856DF8899B2A2DB30DD95CF91

Function 0022920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

BeginPaint.USER32(?,?,?), ref: 00229241
GetWindowRect.USER32(?,?), ref: 002292A5
ScreenToClient.USER32(?,?), ref: 002292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002292D3
EndPaint.USER32(?,?,?,?,?), ref: 00229321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002671EA

Part of subcall function 00229339: BeginPath.GDI32(00000000), ref: 00229357

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 605dfdbb2bf2a62b03a24fe0bc83080e1afa24cd31e8400c82b86f7f72ef3372
Instruction ID: 80de8c4991cd1908b7444c997b2cb0079139cc138246b5eb94f37807c408df54
Opcode Fuzzy Hash: 605dfdbb2bf2a62b03a24fe0bc83080e1afa24cd31e8400c82b86f7f72ef3372
Instruction Fuzzy Hash: D941B230114251EFD710DF64EC88FBA7BB8EF46724F140669F9548B2A2CB7098A5DB61

Function 002807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0028080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00280847
EnterCriticalSection.KERNEL32(?), ref: 00280863
LeaveCriticalSection.KERNEL32(?), ref: 002808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00280921

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: f5a7c10a53d42f2693dd704106b60d1b6ff0ee81a665196c71d66d7eee7a9015
Instruction ID: 79e137d1de25983374aba0755ca7f9396be9f161f3a296e629f038b37034281b
Opcode Fuzzy Hash: f5a7c10a53d42f2693dd704106b60d1b6ff0ee81a665196c71d66d7eee7a9015
Instruction Fuzzy Hash: F8416A71A10205EBDF55AF94EC85AAA7778FF04310F1440B9ED04AA296DB30DE64DFA4

Function 002A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0026F3AB,00000000,?,?,00000000,?,0026682C,00000004,00000000,00000000), ref: 002A824C
EnableWindow.USER32(?,00000000), ref: 002A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002A82D1
ShowWindow.USER32(?,00000004), ref: 002A82E5
EnableWindow.USER32(?,00000001), ref: 002A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002A832F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: effbaa2786a66ca9d0af4d5ac865818f523c5323646266302febc098d82731aa
Instruction ID: 0b5b4f83a12260ee5d7413b87c02fe55f3fa8a45bd04670d35d155df472a6de4
Opcode Fuzzy Hash: effbaa2786a66ca9d0af4d5ac865818f523c5323646266302febc098d82731aa
Instruction Fuzzy Hash: 2F418334601685EFDF15CF15E899BB47BE0BB4B714F1841A9EA484F262CF31A865CB50

Function 00274C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00274C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00274CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00274CEA
_wcslen.LIBCMT ref: 00274D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00274D10
_wcsstr.LIBVCRUNTIME ref: 00274D1A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 799634b060aa5a3ef70fdf0835d6825d91f615c5118ae7ce6e62b55e1e0c6623
Instruction ID: cf653dba2aba08c88dc99cd6d8bc24a4c26ae99f64ca6162fccfc5888b7d4496
Opcode Fuzzy Hash: 799634b060aa5a3ef70fdf0835d6825d91f615c5118ae7ce6e62b55e1e0c6623
Instruction Fuzzy Hash: 3C212C71214111BBEB2AAF79AD09E7B7BACDF46750F10807EF809CA151EF71DC1086A0

Function 0028581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

_wcslen.LIBCMT ref: 0028587B
CoInitialize.OLE32(00000000), ref: 00285995
CoCreateInstance.OLE32(002AFCF8,00000000,00000001,002AFB68,?), ref: 002859AE
CoUninitialize.OLE32 ref: 002859CC

Strings

.lnk, xrefs: 00285876, 002858C1, 00285985

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f1cfc8b0290c51b56977da7a44bc662f0718915f843c775501c7a678587b67a3
Instruction ID: af003eeea7d1bbf661ce61bfe037d55c5d6896c5c864192faf5a1eb8c293761a
Opcode Fuzzy Hash: f1cfc8b0290c51b56977da7a44bc662f0718915f843c775501c7a678587b67a3
Instruction Fuzzy Hash: EBD174786286119FC714EF24C48096ABBF2FF99314F148859F8899B3A1DB31EC55CF92

Function 0027175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00270FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00270FCA
Part of subcall function 00270FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00270FD6
Part of subcall function 00270FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00270FE5
Part of subcall function 00270FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00270FEC
Part of subcall function 00270FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00271002

GetLengthSid.ADVAPI32(?,00000000,00271335), ref: 002717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002717BA
HeapAlloc.KERNEL32(00000000), ref: 002717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002717DA
GetProcessHeap.KERNEL32(00000000,00000000,00271335), ref: 002717EE
HeapFree.KERNEL32(00000000), ref: 002717F5

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c60d8926649e8d9c52f179e17100328f92ed169e62632affbeca1fe67c89ee41
Instruction ID: aac7a351a7d099107727a74d96736c73e665a03d4dea845c0fafad4f6f4dd4d5
Opcode Fuzzy Hash: c60d8926649e8d9c52f179e17100328f92ed169e62632affbeca1fe67c89ee41
Instruction Fuzzy Hash: B9118171620205FFDB149FA8DC49BAEBBA9EF46355F208018F4499B110DB359964CB60

Function 002714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00271506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00271515
CloseHandle.KERNEL32(00000004), ref: 00271520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0027154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00271563

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bae1cc8b0d494c8a377990aa891811b0a727ba0ee2b3697555114d7406525dfc
Instruction ID: 388278151bae07f1bc6e5e2abba14f98612164c05add604de2df8d193cd22c92
Opcode Fuzzy Hash: bae1cc8b0d494c8a377990aa891811b0a727ba0ee2b3697555114d7406525dfc
Instruction Fuzzy Hash: 1B11677250020EABDF119FA8ED49FDF7BA9EF49704F148064FA09A2060C771CE64DB60

Function 00233382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00233379,00232FE5), ref: 00233390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0023339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002333B7
SetLastError.KERNEL32(00000000,?,00233379,00232FE5), ref: 00233409

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9fe5a23cf3f745e9f61f3ea7343f514e9a363bfb76232bbd7a4899751966a148
Instruction ID: a6b31443b58a296083442d7a28645c5a2ad2994429c3be30107f5c269fa04ab5
Opcode Fuzzy Hash: 9fe5a23cf3f745e9f61f3ea7343f514e9a363bfb76232bbd7a4899751966a148
Instruction Fuzzy Hash: 3A012DB3639313BF96146B757C8A6665B54D705376F30C26AF510811F0EF114F319984

Function 00242D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00245686,00253CD6,?,00000000,?,00245B6A,?,?,?,?,?,0023E6D1,?,002D8A48), ref: 00242D78
_free.LIBCMT ref: 00242DAB
_free.LIBCMT ref: 00242DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0023E6D1,?,002D8A48,00000010,00214F4A,?,?,00000000,00253CD6), ref: 00242DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0023E6D1,?,002D8A48,00000010,00214F4A,?,?,00000000,00253CD6), ref: 00242DEC
_abort.LIBCMT ref: 00242DF2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 46e927e364ce8acbd30fe1052dec8a4f7c64c7684516c9d36f913744888c848c
Instruction ID: 951b669a53583f5ba7d387ae140be83b549fa9feeb6242b96240c7d8052793f9
Opcode Fuzzy Hash: 46e927e364ce8acbd30fe1052dec8a4f7c64c7684516c9d36f913744888c848c
Instruction Fuzzy Hash: B5F02831D35A02E7C61E7B37BC0EF1E2659AFC27A0FB40019F824922D2EE708C394520

Function 002A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00229639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00229693
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296A2
Part of subcall function 00229639: BeginPath.GDI32(?), ref: 002296B9
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 002A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 002A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 002A8A70
LineTo.GDI32(?,00000000,00000003), ref: 002A8A80
EndPath.GDI32(?), ref: 002A8A90
StrokePath.GDI32(?), ref: 002A8AA0

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 71a22250ce2edb11c8c5745c3b7e43bbb43b6ff6b5c49e1b3967e34943d0c78d
Instruction ID: d9c81490386d9b0ae1acd63e2b4c0b034912d06e71d5442674bb36c0a3a25c74
Opcode Fuzzy Hash: 71a22250ce2edb11c8c5745c3b7e43bbb43b6ff6b5c49e1b3967e34943d0c78d
Instruction Fuzzy Hash: 7E111B7604014DFFDF129F90EC88FAA7F6CEB09350F108022BA199A1A1CB719D65DFA0

Function 002751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00275218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00275229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00275230
ReleaseDC.USER32(00000000,00000000), ref: 00275238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0027524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00275261

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d282d970d9dc02bb11c9a723b44b928fdc55f5ba697863358364d9e94c60f811
Instruction ID: 39527d4af34b43e881b1bc5c563d3666a2db9664c6dfde65947d37c8cb123f4c
Opcode Fuzzy Hash: d282d970d9dc02bb11c9a723b44b928fdc55f5ba697863358364d9e94c60f811
Instruction Fuzzy Hash: A4014F75A00719BBEB109FA5AC49A5EBFB8EB49751F144065FA08A7281DA709C10CFA0

Function 00211BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00211BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00211BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00211C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00211C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00211C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00211C22

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6bebcd4f2529e786265460ed0b3430b4d733db966360f9b4267d055695b660bf
Instruction ID: 772f7203c1431f04e262960f0d92d87c1d688a8e0301576e463fbc8564aa7e40
Opcode Fuzzy Hash: 6bebcd4f2529e786265460ed0b3430b4d733db966360f9b4267d055695b660bf
Instruction Fuzzy Hash: 9D0167B0902B5ABDE3008F6A8C85B52FFE8FF59754F04411BA15C4BA42C7F5A864CBE5

Function 0027EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0027EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0027EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0027EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027EB75

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1021fdf1c899ad3cae3760f738aebc8ad23dd025bfaba6270d4ac5d35484f339
Instruction ID: 66ebed7bf8db00c7a754de1734df4d1cbf77bf17f8b55dcbf2a4301666bfb470
Opcode Fuzzy Hash: 1021fdf1c899ad3cae3760f738aebc8ad23dd025bfaba6270d4ac5d35484f339
Instruction Fuzzy Hash: F8F01772240159BBE7219B62AC0EEAB3A7CEBCBF11F104159F601D1091EBA05A018AB5

Function 00267439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00267452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00267469
GetWindowDC.USER32(?), ref: 00267475
GetPixel.GDI32(00000000,?,?), ref: 00267484
ReleaseDC.USER32(?,00000000), ref: 00267496
GetSysColor.USER32(00000005), ref: 002674B0

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 08374e017652260381f4667bac4a3eeba384091b4eb6df1fca7043cb2d25e952
Instruction ID: 3d62d56a7cec90b1a97e1c421cae362a3cb7ffe93a1bf30b97220ca22328c3d7
Opcode Fuzzy Hash: 08374e017652260381f4667bac4a3eeba384091b4eb6df1fca7043cb2d25e952
Instruction Fuzzy Hash: DC018B31410215EFDB109FA4ED0CBAA7BB5FB05711F600060F925A21A0CF311EA1AB50

Function 00271874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0027187F
UnloadUserProfile.USERENV(?,?), ref: 0027188B
CloseHandle.KERNEL32(?), ref: 00271894
CloseHandle.KERNEL32(?), ref: 0027189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002718A5
HeapFree.KERNEL32(00000000), ref: 002718AC

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: bfd01c299b00f6e5730d7b06c5cd92c7c052ef7e796c08cf3bb9358bbf581529
Instruction ID: 77f8c5649fa14b8ac2b2ac2bb7708e1640f030cf4a117ff97ca293baf48d6d91
Opcode Fuzzy Hash: bfd01c299b00f6e5730d7b06c5cd92c7c052ef7e796c08cf3bb9358bbf581529
Instruction Fuzzy Hash: 31E07576204505FBDB016FA5FD0C94ABF79FF4AB22B608625F22981471DF329461DF50

Function 0021BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021BEB3

Strings

D%., xrefs: 0021BCA2
D%., xrefs: 0021BDED, 0021BD91, 0021BD1B
D%.D%., xrefs: 0021BCA5
D%., xrefs: 0021BE9A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%.$D%.$D%.$D%.D%.
API String ID: 1385522511-515690787
Opcode ID: ae38c81ffed08ea3f7fa56757a738a2dd53b8c2cea22501d0667e188e1c76326
Instruction ID: 1304abafae36f14710d270c4f782101764a765c42c16137ba444f5168162f0d4
Opcode Fuzzy Hash: ae38c81ffed08ea3f7fa56757a738a2dd53b8c2cea22501d0667e188e1c76326
Instruction Fuzzy Hash: 0D914A75A2020ACFCB19CF59C0906EAB7F1FF69310F64416AD946AB350D771ADA1CBD0

Function 00297B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00230242: EnterCriticalSection.KERNEL32(002E070C,002E1884,?,?,0022198B,002E2518,?,?,?,002112F9,00000000), ref: 0023024D
Part of subcall function 00230242: LeaveCriticalSection.KERNEL32(002E070C,?,0022198B,002E2518,?,?,?,002112F9,00000000), ref: 0023028A

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 002300A3: __onexit.LIBCMT ref: 002300A9

__Init_thread_footer.LIBCMT ref: 00297BFB

Part of subcall function 002301F8: EnterCriticalSection.KERNEL32(002E070C,?,?,00228747,002E2514), ref: 00230202
Part of subcall function 002301F8: LeaveCriticalSection.KERNEL32(002E070C,?,00228747,002E2514), ref: 00230235

Strings

+T&, xrefs: 00297E2E
G, xrefs: 00297C7F
5, xrefs: 00297C78
Variable must be of type 'Object'., xrefs: 00297C3A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T&$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2833248500
Opcode ID: 516cd7b701d376461c113cbc8678f4ded721447165517de8179343d0e2019f1e
Instruction ID: aea7d55d787fde7602a31f04ba79b89faf32d78957e530346dc3ccb274a21992
Opcode Fuzzy Hash: 516cd7b701d376461c113cbc8678f4ded721447165517de8179343d0e2019f1e
Instruction Fuzzy Hash: A0919D74A34209EFCF04EF54D8919ADB7B1FF49300F548059F8069B292DB71AE61CB61

Function 0027C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0027C6EE
_wcslen.LIBCMT ref: 0027C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0027C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0027C7CA

Strings

0, xrefs: 0027C6AF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 612f4556281b8aee4a6e8b994f99c1ce704700ed23e820d6c497ede14f01b27c
Instruction ID: 1f84185c02c30a7a737104ea0a3470285c8a18ad0a775e0fb50202a27eda19a6
Opcode Fuzzy Hash: 612f4556281b8aee4a6e8b994f99c1ce704700ed23e820d6c497ede14f01b27c
Instruction Fuzzy Hash: 1951E3716343029BD7199F38D885A6BB7E8AF85310F24892DF599E21D0DB70D9248F52

Function 0029AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0029AEA3

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

GetProcessId.KERNEL32(00000000), ref: 0029AF38
CloseHandle.KERNEL32(00000000), ref: 0029AF67

Strings

<, xrefs: 0029AE6B
@, xrefs: 0029AE72

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 72f79e4459234ae786882b5f60c2c2a730b8edc382d895363d3f10330235deb6
Instruction ID: 8e7b802c29244f8e191dcf32c3cf6f51b9ee04e4dff9220a20bf5d7e3dadf40e
Opcode Fuzzy Hash: 72f79e4459234ae786882b5f60c2c2a730b8edc382d895363d3f10330235deb6
Instruction Fuzzy Hash: D2715670A20219DFCF14DF54C484A9EBBF1BF08300F0484A9E856AB662CB71ED95CF91

Function 0027719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00277206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0027723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0027724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002772CF

Strings

DllGetClassObject, xrefs: 00277242

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ac32ed0e29e5c56378de251611a60bd581fba6c6c6ef0c4d8af41e64176515ba
Instruction ID: 6c08833049ba8c21e88ee07045fd6c968261bb23998e81fc9a0c15410c8bf16c
Opcode Fuzzy Hash: ac32ed0e29e5c56378de251611a60bd581fba6c6c6ef0c4d8af41e64176515ba
Instruction Fuzzy Hash: 03418D71A14204EFDB15CF64C884A9A7BB9EF49314F24C0AABD19DF20AD7B0DD54CBA0

Function 002A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A3E35
IsMenu.USER32(?), ref: 002A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002A3E92
DrawMenuBar.USER32 ref: 002A3EA5

Strings

0, xrefs: 002A3D89

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 4d039d5aa76a9626992210bfa80a69a6d9cebdb914a34c4b6d321b5afef0a613
Instruction ID: 8df710dcbf3358ad8b04277c6a3cb784b2ee3e2b22e72adc5fcc2913eda8721a
Opcode Fuzzy Hash: 4d039d5aa76a9626992210bfa80a69a6d9cebdb914a34c4b6d321b5afef0a613
Instruction Fuzzy Hash: A6414C75A2120AEFDB10DF50E984ADAB7B5FF4A354F044129F905A7250DB30AE64CF50

Function 00271DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 00273CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00273CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00271E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00271E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00271EA9

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

Strings

ComboBox, xrefs: 00271DF0
ListBox, xrefs: 00271E25

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: a34d3d54bca5e4e8c05e6340321d2ec8f9f174fd3f16188bf635f3f9559c2725
Instruction ID: bdb3d87dcbb0fc6bf3bddf5e8631f469d29eece861cbf22754a64d18bc1be5f4
Opcode Fuzzy Hash: a34d3d54bca5e4e8c05e6340321d2ec8f9f174fd3f16188bf635f3f9559c2725
Instruction Fuzzy Hash: 29213771A20104BBDB189FA8DC4ACFFB7B8DF56350B10812AF859A31E0DF744E758A20

Function 0029C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029C9F1
_wcslen.LIBCMT ref: 0029CA68
_wcslen.LIBCMT ref: 0029CA9E
_wcslen.LIBCMT ref: 0029CAF9
_wcslen.LIBCMT ref: 0029CB2F
_wcslen.LIBCMT ref: 0029CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0029CA62, 0029CA67
HKLM, xrefs: 0029CA98, 0029CA9D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 5fe197097e40fb1729762f0dc629e8c632fe54fba6393e174101cf0574a76459
Instruction ID: 31354a032ca5a69100d15cb88a20f6212b70c72a30ecdb0004cb4aa45bea0741
Opcode Fuzzy Hash: 5fe197097e40fb1729762f0dc629e8c632fe54fba6393e174101cf0574a76459
Instruction Fuzzy Hash: C931E673A701AB4BCF20EF2CD8501BE33915BA1750B65402AE845AB385FA71CDA0D7A0

Function 002A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002A2F8D
LoadLibraryW.KERNEL32(?), ref: 002A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002A2FA9
DestroyWindow.USER32(?), ref: 002A2FB1

Strings

SysAnimate32, xrefs: 002A2F68

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f4a80fa04916e51a630ae662191fb156a79344a67430ae5cff73e5964de90351
Instruction ID: 07565d61ee2b9eac3470fd259fb16cf223d24d8dca55479a39b0b95325ea06d8
Opcode Fuzzy Hash: f4a80fa04916e51a630ae662191fb156a79344a67430ae5cff73e5964de90351
Instruction Fuzzy Hash: F721C071220206EFEB108F68DC84FBB77BDEB5A364F104219FA50D6590DB71DCA59B60

Function 00234D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00234D1E,002428E9,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002), ref: 00234D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00234DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00234D1E,002428E9,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002,00000000), ref: 00234DC3

Strings

CorExitProcess, xrefs: 00234D98
mscoree.dll, xrefs: 00234D86

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: de5768fe9d34b553e971399e41c9595f8445795c97113bea4ea74b86930421a0
Instruction ID: 0d82e6ee1a378e4d4833de78121b2d748380378c6aaa60a931dbe714cf58d7e9
Opcode Fuzzy Hash: de5768fe9d34b553e971399e41c9595f8445795c97113bea4ea74b86930421a0
Instruction Fuzzy Hash: 92F03C74A50209ABDB159F94EC49BAEBFE5EB45752F1001A4E90AA2260CF70AE50DA90

Function 0026D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0026D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0026D3BF
FreeLibrary.KERNEL32(00000000), ref: 0026D3E5

Strings

X64, xrefs: 0026D2A8
GetSystemWow64DirectoryW, xrefs: 0026D3B9

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: a62448563147c83bd3f4c591846612b7aed85799aa2f9399c0f214435f21015d
Instruction ID: be80f758d48cc9a2499ebecaa67f0be126d5b49c4853117ec23e784097c8b558
Opcode Fuzzy Hash: a62448563147c83bd3f4c591846612b7aed85799aa2f9399c0f214435f21015d
Instruction Fuzzy Hash: 74F05571F3962ADBD7711B219C3C9693724AF12701B6484E5F806EA216DFA0CDF08AD2

Function 00214E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00214EAE
FreeLibrary.KERNEL32(00000000,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EC0

Strings

kernel32.dll, xrefs: 00214E94
Wow64DisableWow64FsRedirection, xrefs: 00214EA8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ebfe66d95d7ace7b2f328307fe4dedc6251bc78d52cf82462cab1da048a8286f
Instruction ID: ffb02e2dc5adf9df151f250b87a84d9edafb856afb7597974b977b124c2d2b18
Opcode Fuzzy Hash: ebfe66d95d7ace7b2f328307fe4dedc6251bc78d52cf82462cab1da048a8286f
Instruction Fuzzy Hash: D6E0CD35B115235BD2322F25BC1CB9F65D4AF93F627150115FC0CD2200DF60CD5144B1

Function 00214E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00214E74
FreeLibrary.KERNEL32(00000000,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E87

Strings

kernel32.dll, xrefs: 00214E5B
Wow64RevertWow64FsRedirection, xrefs: 00214E6E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 76a802d2c25cf17cc85ed7686bd2141c9bc14c7df58e651c0321e5a1df88f7a3
Instruction ID: 1d8e567bd9d110d4d971ff7fd3e820ecbf959a08882549711067b6c0dcb098df
Opcode Fuzzy Hash: 76a802d2c25cf17cc85ed7686bd2141c9bc14c7df58e651c0321e5a1df88f7a3
Instruction Fuzzy Hash: F5D012356226235756222F25BC1CDCB6A58AF87B553150625F90DA2114CF61CD6285E0

Function 00282947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00282C05
DeleteFileW.KERNEL32(?), ref: 00282C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00282C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00282CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00282CC0

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6077d536a19f00f7acb9f871c89b5a377971123cf34be993f7f07fcdaa39da66
Instruction ID: e47a6aa49e7a5a916af32d1ccc4aabd7bc380b7c01c29b7b6053d96f05de4d0e
Opcode Fuzzy Hash: 6077d536a19f00f7acb9f871c89b5a377971123cf34be993f7f07fcdaa39da66
Instruction Fuzzy Hash: AFB170B1D21129EBDF15EFA4CC85EDEB7BDEF49310F1040A6F509E6181EA319A588F60

Function 0029A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0029A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0029A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0029A468
CloseHandle.KERNEL32(?), ref: 0029A63D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: abe0ae75295e5cf37b0bda4345ead059897d3c8591af728cf62a465720e9b465
Instruction ID: 8f0f66ea4312631610b874e08fd3d766df43a059dd4cd14172bf4ed908976cb7
Opcode Fuzzy Hash: abe0ae75295e5cf37b0bda4345ead059897d3c8591af728cf62a465720e9b465
Instruction Fuzzy Hash: DFA1EF71614301AFDB20DF24D886F2AB7E5AF94714F14881DF95A8B292DBB0EC51CF82

Function 0027E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0027CF22,?), ref: 0027DDFD

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0027CF22,?), ref: 0027DE16

Part of subcall function 0027E199: GetFileAttributesW.KERNEL32(?,0027CF95), ref: 0027E19A

lstrcmpiW.KERNEL32(?,?), ref: 0027E473
MoveFileW.KERNEL32(?,?), ref: 0027E4AC
_wcslen.LIBCMT ref: 0027E5EB
_wcslen.LIBCMT ref: 0027E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0027E650

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f3fee149f60ddbb7c3e2be95bba574eb934ff533921122402830eb7b188f5359
Instruction ID: 1aa3ed9c92586497552eca3050d7fdf9eb7214069f16eba93ff257d2b0fed117
Opcode Fuzzy Hash: f3fee149f60ddbb7c3e2be95bba574eb934ff533921122402830eb7b188f5359
Instruction Fuzzy Hash: 5F51B4B20183855BCB24EB90D8919DB73ECAF99340F00495EF68DD3151EF74A5988B66

Function 0029B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 0029C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029B6AE,?,?), ref: 0029C9B5
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029C9F1
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA68
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0029BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0029BB63
RegCloseKey.ADVAPI32(?,?), ref: 0029BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0029BBB3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 36ea7880d8c5259c4caf8f8b990f96c5e49dc353fe17282235c9f8ebf9f9b945
Instruction ID: 24f15088d51be774a08aa9b2a3c01b82f97b461da105bcdf6d6e947ca84115a2
Opcode Fuzzy Hash: 36ea7880d8c5259c4caf8f8b990f96c5e49dc353fe17282235c9f8ebf9f9b945
Instruction Fuzzy Hash: 6161D131228241AFC715DF24D5A0E6ABBE5FF84308F14855CF4998B2A2CB31ED95CF92

Function 00278BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00278BCD
VariantClear.OLEAUT32 ref: 00278C3E
VariantClear.OLEAUT32 ref: 00278C9D
VariantClear.OLEAUT32(?), ref: 00278D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00278D3B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 52c9453ace9235e982a950333c9e91cd61cbf45185997dc1acbe4256a833f3c4
Instruction ID: ba61e6245641293833b4869eebade152cc1714420b51739129f0074341471bf6
Opcode Fuzzy Hash: 52c9453ace9235e982a950333c9e91cd61cbf45185997dc1acbe4256a833f3c4
Instruction Fuzzy Hash: 61515DB5A10219DFCB14CF68D894AAAB7F8FF8D314B158559E909DB350E730E911CF90

Function 00288AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00288BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00288BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00288C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00288C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00288C5F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 13d2f6ab6842bcdca92fdc377577c9007750c4d0b348ede828035b87ee0a50f0
Instruction ID: 3f1fde07f9c4812a01ee5f06258bbd099f9683cf120db08e8d1608364a9ff249
Opcode Fuzzy Hash: 13d2f6ab6842bcdca92fdc377577c9007750c4d0b348ede828035b87ee0a50f0
Instruction Fuzzy Hash: 2E514E35A10215AFCB05DF64C885AADBBF5FF49314F088459E849AB3A2DB31ED61CF90

Function 00298EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00298F40
GetProcAddress.KERNEL32(00000000,?), ref: 00298FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00298FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00299032
FreeLibrary.KERNEL32(00000000), ref: 00299052

Part of subcall function 0022F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00281043,?,753CE610), ref: 0022F6E6
Part of subcall function 0022F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0026FA64,00000000,00000000,?,?,00281043,?,753CE610,?,0026FA64), ref: 0022F70D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 07e6a884821397914c84b33aaae798c236af57f7e4814e47f57b75cdf597310e
Instruction ID: 5b4307128e6a99bb442c284cd52c79ff7aa61fe4d91bb70043e0aeac16515d31
Opcode Fuzzy Hash: 07e6a884821397914c84b33aaae798c236af57f7e4814e47f57b75cdf597310e
Instruction Fuzzy Hash: 5E515B35610205DFCB11DF68C4948ADBBF1FF5A324B5880A8E81A9B762DB31ED95CF90

Function 002A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 002A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 002A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 002A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0028AB79,00000000,00000000), ref: 002A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 002A6CC7

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f96bed69b2e56ccfa89010ba9aee5c3c6930fc7a75293b3e6b57b8adbfdfdefb
Instruction ID: ce8466677383db4ccf8e155ffba0e8b0b61179052ce63b58a1c67a57a7fa8648
Opcode Fuzzy Hash: f96bed69b2e56ccfa89010ba9aee5c3c6930fc7a75293b3e6b57b8adbfdfdefb
Instruction Fuzzy Hash: 3341E735624105AFD724DF38CC5CFA9BBA6EB0B360F190225F955A72E1CB71ED60CA50

Function 00242051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002420C3
_free.LIBCMT ref: 002420E3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 039f0c32c0cd284bb4705abe5deeec75a25f6f377680e4c31cbb7d6da5b401d7
Instruction ID: 6e627c1a2a9af69141de62b5aec230f183d7c6c3fa548bf440a0bdffb6b21062
Opcode Fuzzy Hash: 039f0c32c0cd284bb4705abe5deeec75a25f6f377680e4c31cbb7d6da5b401d7
Instruction Fuzzy Hash: 3D41F132A10200EFCB28DF79C880A5EB3F5EF88310F6541A9F509EB352DA31AD15CB80

Function 0022912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00229141
ScreenToClient.USER32(00000000,?), ref: 0022915E
GetAsyncKeyState.USER32(00000001), ref: 00229183
GetAsyncKeyState.USER32(00000002), ref: 0022919D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8e5a0b76d9d5a8368e78c8abcb40e90f4f7deb9cd842d0d8775a3ab2549aff40
Instruction ID: 96e44988e3f75519fe78b96f990a56ef55bd75b69345016cd6c0546d84b83c29
Opcode Fuzzy Hash: 8e5a0b76d9d5a8368e78c8abcb40e90f4f7deb9cd842d0d8775a3ab2549aff40
Instruction Fuzzy Hash: BE41903191821BFBDF059FA8D848BEEB775FB06324F204256E429A32D0CB7059A4CF91

Function 00283874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00283922
TranslateMessage.USER32(?), ref: 0028394B
DispatchMessageW.USER32(?), ref: 00283955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00283966

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e24e684744892cb999e68bc9a394e1d636497ce5737135654e2b62d411632786
Instruction ID: 445193d6009bdc5612054cb8405abb5b6d656b68e2a5d76f18d63b1b857bab64
Opcode Fuzzy Hash: e24e684744892cb999e68bc9a394e1d636497ce5737135654e2b62d411632786
Instruction Fuzzy Hash: A831F778966383DFEB35EF34E84CBB637A8AB01700F140469E466860E0E7F496A5CB11

Function 0028CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0028C21E,00000000), ref: 0028CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0028CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0028C21E,00000000), ref: 0028CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0028C21E,00000000), ref: 0028CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0028C21E,00000000), ref: 0028CFF2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 6e368f65526c93fea7e2097ca295cb048c80ac540c7d43b36f02a97bce6175ca
Instruction ID: 8bee132f0aec724fd96ab2dc32485261586e8525289ff80af5cdcb6e593679ad
Opcode Fuzzy Hash: 6e368f65526c93fea7e2097ca295cb048c80ac540c7d43b36f02a97bce6175ca
Instruction Fuzzy Hash: B2318475521206EFEB20EFA5D88496BB7F9EB14310B20442FF606D2591DB30AD50DB60

Function 00271901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00271915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002719E2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4156cfd232d7975eabc727004c0f76d7cf7ed69516a916f3bb11b8bd849cf178
Instruction ID: 5644b94da04c2f3ba64a11179606bf4c52d05c413900b61af581019fbfd35cc2
Opcode Fuzzy Hash: 4156cfd232d7975eabc727004c0f76d7cf7ed69516a916f3bb11b8bd849cf178
Instruction Fuzzy Hash: 5331D171A1021AEFCB04CFACDD99ADE3BB5EF45314F108225FA25A72D0C7709965CB90

Function 002A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 002A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 002A579D
_wcslen.LIBCMT ref: 002A57AF
_wcslen.LIBCMT ref: 002A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A5816

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7d2196626f22d91489fd13a5873a4e9d1be37fcc2b5b603d2dd7441baa1e3f2d
Instruction ID: 6e97ff82a54e0c3b48f0c7c5fc408676ed53cd3fc54ac77f67eb45fa27b98a4c
Opcode Fuzzy Hash: 7d2196626f22d91489fd13a5873a4e9d1be37fcc2b5b603d2dd7441baa1e3f2d
Instruction Fuzzy Hash: 87218471924629DBDB209F60DC84AEFB778FF46720F104156F919AA180DB7099A5CF90

Function 00290930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00290951
GetForegroundWindow.USER32 ref: 00290968
GetDC.USER32(00000000), ref: 002909A4
GetPixel.GDI32(00000000,?,00000003), ref: 002909B0
ReleaseDC.USER32(00000000,00000003), ref: 002909E8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: dde3cceb775b0fdd3b8dac9908a1b2836a86040309bb03793c34c09a7dd6e740
Instruction ID: 32eaa1a38ba0c2a5404cc9df0273e8dc1cd871455207573934a303605534569e
Opcode Fuzzy Hash: dde3cceb775b0fdd3b8dac9908a1b2836a86040309bb03793c34c09a7dd6e740
Instruction Fuzzy Hash: 51219635610204AFD704EF65D988AAEB7F9EF45700F148469F84AD7751DB70AC54CF50

Function 0024CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0024CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024CDE9

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0024CE0F
_free.LIBCMT ref: 0024CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0024CE31

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 6353ec6d31d774b5bd8ae999f00619364a9edec1c8d942a47ad20941508e05a8
Instruction ID: 84093caec43fca8bdc12963d45ed8a24f52a7a485faa5fd1d9b7a057ab42cac6
Opcode Fuzzy Hash: 6353ec6d31d774b5bd8ae999f00619364a9edec1c8d942a47ad20941508e05a8
Instruction Fuzzy Hash: D501D8727132157F27651ABE6C4CC7B696DDEC7BA13350129F905CB200DF618D2195B0

Function 00229639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00229693
SelectObject.GDI32(?,00000000), ref: 002296A2
BeginPath.GDI32(?), ref: 002296B9
SelectObject.GDI32(?,00000000), ref: 002296E2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 83c12099358ec3482d5deb54cf5e7e53f2353f2609ab27d48e62a5cad9a29c9b
Instruction ID: c267d2883f1ac15930189639d360ae584832dd4a21ca7b77b3e1dc95c8322211
Opcode Fuzzy Hash: 83c12099358ec3482d5deb54cf5e7e53f2353f2609ab27d48e62a5cad9a29c9b
Instruction Fuzzy Hash: D2217130861396EBDB119FA4FC4CBB97BA8BB01315F100225F414AA1A1D77498F5CF90

Function 00275711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00275726
_memcmp.LIBVCRUNTIME ref: 00275744
_memcmp.LIBVCRUNTIME ref: 00275757
_memcmp.LIBVCRUNTIME ref: 0027576F
_memcmp.LIBVCRUNTIME ref: 00275787

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 77e8281120af5704fc75e4084abf6f9b8945f6ea3de1ba7eef0bec8a6027bd13
Instruction ID: 262b11b05f268d0f2b73d680df856a140468fe6dc1dfe334846d8b8d8a2b0d42
Opcode Fuzzy Hash: 77e8281120af5704fc75e4084abf6f9b8945f6ea3de1ba7eef0bec8a6027bd13
Instruction Fuzzy Hash: C501BEA16B1615FBD20C55119E82FBBF35D9B26364F008021FD0C5A141F7F5ED3086B0

Function 00242DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0023F2DE,00243863,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6), ref: 00242DFD
_free.LIBCMT ref: 00242E32
_free.LIBCMT ref: 00242E59
SetLastError.KERNEL32(00000000,00211129), ref: 00242E66
SetLastError.KERNEL32(00000000,00211129), ref: 00242E6F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: efc803ab57a5d99d46d77a410784ee3995d6bec2f0ff2f9deb58d40101df1eb2
Instruction ID: e0897034251e8dca9626df90875cca2a584f23b84ee20304369945afd61aecc0
Opcode Fuzzy Hash: efc803ab57a5d99d46d77a410784ee3995d6bec2f0ff2f9deb58d40101df1eb2
Instruction Fuzzy Hash: B201F932775A02E7C61EAB377C89D2B2659EBD27A57F40025F815D2293EEB0DC394520

Function 0027000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?,?,0027035E), ref: 0027002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?), ref: 00270064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270070

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: a48d26c50e43790a3e14429adfe618399f2ebef9a4a0fe25e74ef1a6fa78dd1c
Instruction ID: 3b83e166ba43b9305e929888d525052f9229bd317f13f87fa361d231d33cf134
Opcode Fuzzy Hash: a48d26c50e43790a3e14429adfe618399f2ebef9a4a0fe25e74ef1a6fa78dd1c
Instruction Fuzzy Hash: A301A272610215FFDB114F68EC88BAA7AEDEF44761F248124F909D2210DB75DD549BA0

Function 0027E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0027E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0027E9A5
Sleep.KERNEL32(00000000), ref: 0027E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0027E9B7
Sleep.KERNEL32 ref: 0027E9F3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 32642924dadd138573108f9735bd21b05302062e0ddddb357062a6155dd594d8
Instruction ID: 830d36f6181d061d4f75c64783362345109b39b212ab78cf46ae663d2a25f8f7
Opcode Fuzzy Hash: 32642924dadd138573108f9735bd21b05302062e0ddddb357062a6155dd594d8
Instruction Fuzzy Hash: 6A015B32D11529DBCF009FE4E84DADDBB78BF0E301F114596EA06B2241CB309565CB62

Function 002710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00271114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 0027112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027114D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0edc4654a0be7e20e781c0510ddd8be1cbecafc823301c856a80f5a22de2674e
Instruction ID: 3a49bc3b137ac718f4a606138f383f07bb2a8b1d3bc115539cca783bbbfbab07
Opcode Fuzzy Hash: 0edc4654a0be7e20e781c0510ddd8be1cbecafc823301c856a80f5a22de2674e
Instruction Fuzzy Hash: 32011975200215BFDB114FA9EC4DA6A3B6EEF8A3A0B604469FA49D7360DE31DD109A60

Function 00270FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00270FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00270FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00270FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00270FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00271002

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a5a6724a65bed132178d3ed591f122763b212e8b9185a2b84bf0e966de5ef529
Instruction ID: 5377f5ce8b9cb23cdc80d073ec82364728ca70ec87f5854fd1e7f4bd8fc3db5d
Opcode Fuzzy Hash: a5a6724a65bed132178d3ed591f122763b212e8b9185a2b84bf0e966de5ef529
Instruction Fuzzy Hash: 5CF04935200312EBDB215FA8AC4DF563BADEF8A762F204424FA49C6251DE70DC608A60

Function 00271014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0027102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00271036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0027104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271062

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 12eb12cd31775a8b72ee2f2f895738ce3b01afab5b91958c5bbb09c6fb14ec99
Instruction ID: 65b5c3d4672a27ae75948a881523a391692afd383333d29eef8662d4143e4bda
Opcode Fuzzy Hash: 12eb12cd31775a8b72ee2f2f895738ce3b01afab5b91958c5bbb09c6fb14ec99
Instruction Fuzzy Hash: F8F06D35200312FBDB215FA8EC4DF563BADEF8A761F204424FE49C7250DE70D8608A60

Function 0028030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 00280324
CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 00280331
CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 0028033E
CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 0028034B
CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 00280358
CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 00280365

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: da46e07c3cfc67e2bc9c51c5fb139ffda944daae7ef6b60e68356a4f247150cc
Instruction ID: 0b424d8b8b9f26d9da40faa152d7e8551a84aec36eb6ad2e76718680dc48ab46
Opcode Fuzzy Hash: da46e07c3cfc67e2bc9c51c5fb139ffda944daae7ef6b60e68356a4f247150cc
Instruction Fuzzy Hash: 5601DC76802B029FCB30AF66D8C0806FBF9BE602053158A7ED19252971C7B0A968CF80

Function 0024D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0024D752

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 0024D764
_free.LIBCMT ref: 0024D776
_free.LIBCMT ref: 0024D788
_free.LIBCMT ref: 0024D79A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3479e3a532ba8ffbb22fa8d73e62ae4b3b88adfcf84e7ccac07ff3d2ecf3af75
Instruction ID: 75487a5bb8d87c1354421e7a5b0e6b3b9d0094d02adb869f7c872ccbd8a4713e
Opcode Fuzzy Hash: 3479e3a532ba8ffbb22fa8d73e62ae4b3b88adfcf84e7ccac07ff3d2ecf3af75
Instruction Fuzzy Hash: 62F03632965206EB9629EF66F9C5C16BBDDBB447107F41C06F048D7541C730FCA0CA64

Function 00275C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00275C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00275C6F
MessageBeep.USER32(00000000), ref: 00275C87
KillTimer.USER32(?,0000040A), ref: 00275CA3
EndDialog.USER32(?,00000001), ref: 00275CBD

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 77d56a41878d7b66422d67d66d47cfa44bc8a1b013d0a4e00022ae81d11613d5
Instruction ID: ce48ee37d54f373cc5902839e5f602170fb7630e146ae7d32377a2a68a895fec
Opcode Fuzzy Hash: 77d56a41878d7b66422d67d66d47cfa44bc8a1b013d0a4e00022ae81d11613d5
Instruction Fuzzy Hash: 32018130510B14ABEB219F10ED4EFA6B7BCBB11B05F04456EB587A10E1DFF4A9988A90

Function 002422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002422BE

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 002422D0
_free.LIBCMT ref: 002422E3
_free.LIBCMT ref: 002422F4
_free.LIBCMT ref: 00242305

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a40ac7021e33ef8b0a4c08c4f1a6ed29cb0d13251a71fc276314eeda362873d
Instruction ID: 9994fca1a3738922489f828652c00a4dffbad11a63dd5b24fa9dc467554c7afa
Opcode Fuzzy Hash: 1a40ac7021e33ef8b0a4c08c4f1a6ed29cb0d13251a71fc276314eeda362873d
Instruction Fuzzy Hash: 7BF05EB08A11A1DB9B17AF57BC8980C3B68F7187607A0151BF814DA2B1CB711876EFE4

Function 002295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002295D4
StrokeAndFillPath.GDI32(?,?,002671F7,00000000,?,?,?), ref: 002295F0
SelectObject.GDI32(?,00000000), ref: 00229603
DeleteObject.GDI32 ref: 00229616
StrokePath.GDI32(?), ref: 00229631

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: cfc2c73a7e3a6d843aabe25e7faf778942eba344992c9b7f16dd7ad7355bc88f
Instruction ID: 49bab884c6149a1431e4f22809f08857a8115d952b1e349a4e8e645b7da67da3
Opcode Fuzzy Hash: cfc2c73a7e3a6d843aabe25e7faf778942eba344992c9b7f16dd7ad7355bc88f
Instruction Fuzzy Hash: 8AF03C30055285EBDB125FA5FD5C7643BA5EB02322F148224F429590F2CB7589B5DF20

Function 00240F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002410F9
__freea.LIBCMT ref: 00241117

Part of subcall function 00241537: _free.LIBCMT ref: 0024154F

Strings

am/pm, xrefs: 0024117A
a/p, xrefs: 002411DE

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3c6d27a78ddfb579001944e1c75b2e0cdd2216b4021b971f668a3e9a5bfae2de
Instruction ID: e6bed07876e556486b0e5cfd43987b8d988da083d48032861c0ce2a6f30cdb27
Opcode Fuzzy Hash: 3c6d27a78ddfb579001944e1c75b2e0cdd2216b4021b971f668a3e9a5bfae2de
Instruction Fuzzy Hash: A3D1F231930207DADB2C9F68C895BFABBB0EF05700F244199E915AB654D3B59DF0CB91

Function 002961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00230242: EnterCriticalSection.KERNEL32(002E070C,002E1884,?,?,0022198B,002E2518,?,?,?,002112F9,00000000), ref: 0023024D
Part of subcall function 00230242: LeaveCriticalSection.KERNEL32(002E070C,?,0022198B,002E2518,?,?,?,002112F9,00000000), ref: 0023028A

Part of subcall function 002300A3: __onexit.LIBCMT ref: 002300A9

__Init_thread_footer.LIBCMT ref: 00296238

Part of subcall function 002301F8: EnterCriticalSection.KERNEL32(002E070C,?,?,00228747,002E2514), ref: 00230202
Part of subcall function 002301F8: LeaveCriticalSection.KERNEL32(002E070C,?,00228747,002E2514), ref: 00230235

Part of subcall function 0028359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002835E4
Part of subcall function 0028359C: LoadStringW.USER32(002E2390,?,00000FFF,?), ref: 0028360A

Strings

x#., xrefs: 00296353
x#., xrefs: 0029633A
x#., xrefs: 0029636F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#.$x#.$x#.
API String ID: 1072379062-2340457610
Opcode ID: 61dbd820af67a5fa47c795fe4aa4bac47884468a3a4e35dad5759e2353c2529f
Instruction ID: 78aebe95c70378214a905a78c79470944012b544066a2d46b7051d57d5a01348
Opcode Fuzzy Hash: 61dbd820af67a5fa47c795fe4aa4bac47884468a3a4e35dad5759e2353c2529f
Instruction Fuzzy Hash: 99C17B71A20106AFDF24DF98C894EBEB7F9EF48300F558069E9059B291DB70E965CB90

Function 00245AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO!, xrefs: 00245BA8, 00245C6C

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID: JO!
API String ID: 0-3116667536
Opcode ID: 3d874f82bf57cb7cebc9cac489df768c0afe6e47bcfc19f2088db2f10080f813
Instruction ID: 3416695e58f034b95e0c1adc1dada47f00f231f83e3bddcc9f56afcb170b3322
Opcode Fuzzy Hash: 3d874f82bf57cb7cebc9cac489df768c0afe6e47bcfc19f2088db2f10080f813
Instruction Fuzzy Hash: 4151E4B1D3062ADFCB189FA4D985FAEBBB4EF05314F14005AF445AB293D6708921CB61

Function 00248A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00248B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00248B7A
__dosmaperr.LIBCMT ref: 00248B81

Strings

.#, xrefs: 00248A63

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .#
API String ID: 2434981716-197210044
Opcode ID: adcc6fd5105ec10fc55ea8ed203e79b8866256888e351573d7ceaa8d721075c8
Instruction ID: eb4e2219a58afd81e4a1160ce853b91b6da76087db3f5711005ee07970c142b8
Opcode Fuzzy Hash: adcc6fd5105ec10fc55ea8ed203e79b8866256888e351573d7ceaa8d721075c8
Instruction Fuzzy Hash: 05419170634055AFDB289F24DC84A7D7FD5DB45308F288199F884CB542DE71CC638750

Function 00272716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0027B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002721D0,?,?,00000034,00000800,?,00000034), ref: 0027B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00272760

Part of subcall function 0027B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0027B3F8

Part of subcall function 0027B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0027B355
Part of subcall function 0027B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00272194,00000034,?,?,00001004,00000000,00000000), ref: 0027B365
Part of subcall function 0027B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00272194,00000034,?,?,00001004,00000000,00000000), ref: 0027B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0027281A

Strings

@, xrefs: 00272832

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d445473ab77be2c9d68b511d5444775d815ba461ad48665b718374ad57345d98
Instruction ID: f2d6dbb5d705826bf054d9d827ef521c04f7f312875aa4c09472499e12d2cdd0
Opcode Fuzzy Hash: d445473ab77be2c9d68b511d5444775d815ba461ad48665b718374ad57345d98
Instruction Fuzzy Hash: 12416D72900218AFDB15DFA4CD45BDEBBB8AF05700F108095FA59B7181DB706E99CFA1

Function 0024172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00241769
_free.LIBCMT ref: 00241834
_free.LIBCMT ref: 0024183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00241760, 00241767, 00241796, 002417CE

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 512354fcdcbed385e0a16a6e2c1bae81bf96091e981c2713fa29a9522d4acfcb
Instruction ID: 58ce2db1787f190614d8064d9424f3b7ed4bb189c86d81bc9da08e6e46841f83
Opcode Fuzzy Hash: 512354fcdcbed385e0a16a6e2c1bae81bf96091e981c2713fa29a9522d4acfcb
Instruction Fuzzy Hash: 2A31AE71A50258EBDB29DF9ADC85D9EBBFCEB85310B104166F904DB211D7B08EA0CB90

Function 0027C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0027C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0027C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002E1990,01726DB8), ref: 0027C395

Strings

0, xrefs: 0027C2DF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1d9d6a3f1c86db17cfa1f6a754e7b4b3361b0206c2b53b7739883f5af07ec429
Instruction ID: f0f1941c176447693314a9e84ad6814b584fd381efeae8eb885880c02f288316
Opcode Fuzzy Hash: 1d9d6a3f1c86db17cfa1f6a754e7b4b3361b0206c2b53b7739883f5af07ec429
Instruction Fuzzy Hash: 7541C3712143029FD720DF34D885B5ABBE4AF85320F20C6ADF9A9972D1D770E954CB62

Function 002A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002ACC08,00000000,?,?,?,?), ref: 002A44AA
GetWindowLongW.USER32 ref: 002A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A44D7

Strings

SysTreeView32, xrefs: 002A447C

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 65bb59341124ee77542515c5c7c9c4c86c5b9909c99a45179f9b8ec0b1eea7fb
Instruction ID: 5ee0cfac16f5b5d69f87e4cad696e45c333f85de07451b58192a62ec1f02feda
Opcode Fuzzy Hash: 65bb59341124ee77542515c5c7c9c4c86c5b9909c99a45179f9b8ec0b1eea7fb
Instruction Fuzzy Hash: E631A231220606AFDF209F78DC45BDA77A9EB9A334F204725F975921D0DBB0EC609B50

Function 00276E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00276EED
VariantCopyInd.OLEAUT32(?,?), ref: 00276F08
VariantClear.OLEAUT32(?), ref: 00276F12

Strings

*j', xrefs: 00276E8B, 00276E90, 00276EF8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j'
API String ID: 2173805711-4035128418
Opcode ID: 72f3d48d040188f5f133464c7dc1408d8526a9f3cf6101bec31e2bad73743006
Instruction ID: 37e3092a84006c882177a10024da6b6d5bf693d959bb303fdc742eb6fd7fe349
Opcode Fuzzy Hash: 72f3d48d040188f5f133464c7dc1408d8526a9f3cf6101bec31e2bad73743006
Instruction Fuzzy Hash: B931F331624606DFCB05AFA4E85A8BD37B6EF85300B2044A8F8074B6A1CB709D71CFD1

Function 0029304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00293077,?,?), ref: 00293378

inet_addr.WSOCK32(?), ref: 0029307A
_wcslen.LIBCMT ref: 0029309B
htons.WSOCK32(00000000), ref: 00293106

Strings

255.255.255.255, xrefs: 00293095, 0029309A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: aac933c6fa4ae11fd876e1777863d38e0ac0ca3375c11841724349b0fe383da3
Instruction ID: bbe233f8258a73efbfbf7684232196f9288b4e1513d819771c7ef333820608eb
Opcode Fuzzy Hash: aac933c6fa4ae11fd876e1777863d38e0ac0ca3375c11841724349b0fe383da3
Instruction Fuzzy Hash: CD31E7352102029FCF20CF68C485EAA77F0EF15314F248059E9158B3A2DB72EE55CB60

Function 002A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A3F78

Strings

SysMonthCal32, xrefs: 002A3F0B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e06f97c346ef923011ba28df4329a18e4f324648a84ed23e2f467bb05720ff41
Instruction ID: 2e823cce6ea951bc1c121132cfd0c16ab463e6ff6f1a661cdb7c333e9077577a
Opcode Fuzzy Hash: e06f97c346ef923011ba28df4329a18e4f324648a84ed23e2f467bb05720ff41
Instruction Fuzzy Hash: 1521BF32620219BFDF25CF50DC46FEA3BB9EF49714F110214FA15AB1D0DAB5AC608B90

Function 002A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002A471A

Strings

msctls_updown32, xrefs: 002A4684

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 03b203d8f0564ee155109a4fcb61a7e187fb0f3712dffaa16eb1f3dbfbbad178
Instruction ID: 0ceeeef8baf054e57380654d18a48c668f09c14d4417e8c9de8ec48d8a2f1755
Opcode Fuzzy Hash: 03b203d8f0564ee155109a4fcb61a7e187fb0f3712dffaa16eb1f3dbfbbad178
Instruction Fuzzy Hash: 6F2192B5610245AFDB10EF68ECC5DBB77ADEB9B794B140059F9009B261DB70EC21CA60

Function 002795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027961D

Strings

#requireadmin, xrefs: 002795D9
#OnAutoItStartRegister, xrefs: 002795F3
#notrayicon, xrefs: 002795B7

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f65516170fb8c8345d0288b0f95da97652bc91a85a7f323702d5d7e0b75647a7
Instruction ID: 82c868c62029cbee1c9a2d2cd6be53c813667eef8ab1190bb95d84fcef38075c
Opcode Fuzzy Hash: f65516170fb8c8345d0288b0f95da97652bc91a85a7f323702d5d7e0b75647a7
Instruction Fuzzy Hash: 07216B7213432266C331AE259C02FB773EC9FA6300F408025FA4D97041EBB49DF1C691

Function 002A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002A3876

Strings

Listbox, xrefs: 002A380F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 6b4bbbffdb3558a4dc3a686307bc3be616d8210dc4e40cfe1f55a1b04e739389
Instruction ID: 7659a4dbb32b46b07bdbc3045b6cf126f9b3c8094844d6ef462c457bfef0a46b
Opcode Fuzzy Hash: 6b4bbbffdb3558a4dc3a686307bc3be616d8210dc4e40cfe1f55a1b04e739389
Instruction Fuzzy Hash: 61218072620119BFEB11CF54DC85EAB776EEF8A750F108125F9049B190CA75DC618BA0

Function 002849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00284A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00284A5C
SetErrorMode.KERNEL32(00000000,?,?,002ACC08), ref: 00284AD0

Strings

%lu, xrefs: 00284A6F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7b5b28dda45e5e8bfde57f514ed7a6be98da5128e16f9d04f2be359cfceacea1
Instruction ID: 3ad54d0266552ab6d40ff9743c18ed6a2657171ccef52bfc2a485474aa92eee0
Opcode Fuzzy Hash: 7b5b28dda45e5e8bfde57f514ed7a6be98da5128e16f9d04f2be359cfceacea1
Instruction Fuzzy Hash: 9C318074A10109AFD710EF54C895EAA7BF8EF09308F1480A5E809DB252DB71EE55CFA1

Function 002A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002A4271

Strings

msctls_trackbar32, xrefs: 002A4226

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fd0740b7aedba998bff9345bbcf08f3f51f6433afae27f8c5a4d59826e41f895
Instruction ID: 46bc051ea13b107bb519a64701928c71ac00a5db1ad775c7e6827240279035a8
Opcode Fuzzy Hash: fd0740b7aedba998bff9345bbcf08f3f51f6433afae27f8c5a4d59826e41f895
Instruction Fuzzy Hash: FF110631250248BFEF20AF28CC46FAB3BACEFD6B54F110125FA55E6090DAB1DC619B50

Function 00272F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

Part of subcall function 00272DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00272DC5
Part of subcall function 00272DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00272DD6
Part of subcall function 00272DA7: GetCurrentThreadId.KERNEL32 ref: 00272DDD
Part of subcall function 00272DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00272DE4

GetFocus.USER32 ref: 00272F78

Part of subcall function 00272DEE: GetParent.USER32(00000000), ref: 00272DF9

GetClassNameW.USER32(?,?,00000100), ref: 00272FC3
EnumChildWindows.USER32(?,0027303B), ref: 00272FEB

Strings

%s%d, xrefs: 00272FFF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 1a22cf7d803faf30868a17284e6822ceb7fdbd4a0a24add7af91981be54b900f
Instruction ID: b63fefb4eaee37e224ae9eead9b836a1e91e6d5c1110a83808c52fb11e3246e9
Opcode Fuzzy Hash: 1a22cf7d803faf30868a17284e6822ceb7fdbd4a0a24add7af91981be54b900f
Instruction Fuzzy Hash: F211E771610205ABCF10BF709C89EFE37AAAF95314F048075F90D9B152DE705A699F60

Function 002A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002A58EE
DrawMenuBar.USER32(?), ref: 002A58FD

Strings

0, xrefs: 002A588F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 0c4570bbc1145454fbfc7dfaf7a1fb9ea2c26e3fefd0d3f9d2e6f74be531e452
Instruction ID: 98d950dad6f5c16763e7a7cc62d211411870e4d12efa80967deec69067921d8d
Opcode Fuzzy Hash: 0c4570bbc1145454fbfc7dfaf7a1fb9ea2c26e3fefd0d3f9d2e6f74be531e452
Instruction Fuzzy Hash: 3A013C31520229EFDB519F51E844BABBBB4BF46360F1080A9F849DA151DF708AA49F61

Function 0027007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9ebdfad0e3bbe74691f994936d83b63adcccdb3366aa3cb83b1c8d91c1cbe7
Instruction ID: c346d9361c44aae7431958091c8e9b8ebbf2375764a6b81daef0bca946450632
Opcode Fuzzy Hash: 9e9ebdfad0e3bbe74691f994936d83b63adcccdb3366aa3cb83b1c8d91c1cbe7
Instruction Fuzzy Hash: 8EC15B75A10206EFDB14CFA4C898AAEB7B5FF48304F208598E909EB251D771ED95CB90

Function 0029342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00293459
CoUninitialize.OLE32 ref: 00293463
VariantInit.OLEAUT32(?), ref: 0029346E
VariantClear.OLEAUT32(?), ref: 0029371B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: b72cc781b0df1f26babf8e7f3039c80e7eabae676c35124d8e6b2883f8ee5cba
Instruction ID: 4b89d2bc45158e5b1c454cd391ae42b631f63c2ae6242540a7638727a5742c5a
Opcode Fuzzy Hash: b72cc781b0df1f26babf8e7f3039c80e7eabae676c35124d8e6b2883f8ee5cba
Instruction Fuzzy Hash: 93A15B75224201AFCB10DF64C485A6AB7E5FF8C714F048859F98A9B362DB30EE51CF91

Function 00270436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002AFC08,?), ref: 002705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002AFC08,?), ref: 00270608
CLSIDFromProgID.OLE32(?,?,00000000,002ACC40,000000FF,?,00000000,00000800,00000000,?,002AFC08,?), ref: 0027062D
_memcmp.LIBVCRUNTIME ref: 0027064E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8ef583254b3d1ba2e71ddb292fdf0ebca2df4c3c6249909920649825b04223a1
Instruction ID: 85ee559146a33c0bcb4a27e1930bc4e3f33e3ef1c18f1f4daa2fea1ba251991d
Opcode Fuzzy Hash: 8ef583254b3d1ba2e71ddb292fdf0ebca2df4c3c6249909920649825b04223a1
Instruction Fuzzy Hash: B9814C71A10109EFCB04DF94C984EEEB7B9FF89315F208158E516AB250DB71AE1ACF60

Function 0029A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0029A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0029A6BA

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Process32NextW.KERNEL32(00000000,?), ref: 0029A79C
CloseHandle.KERNEL32(00000000), ref: 0029A7AB

Part of subcall function 0022CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00253303,?), ref: 0022CE8A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: cbb6af08e28ab23c2c45a2c612b0af97002074726971c17739a0adff0f2ca288
Instruction ID: 405147b5c0a672c197a608da1a343dd869c0678c7f280442cea7a78933d08bd7
Opcode Fuzzy Hash: cbb6af08e28ab23c2c45a2c612b0af97002074726971c17739a0adff0f2ca288
Instruction Fuzzy Hash: AE516B71518300AFD710EF24D886AABBBE8FF99754F00892DF58997252EB30D954CF92

Function 00251391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002514C0

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4f107bf03efc21ac61423fc382774290e7eaa22c89254d99b996c26d108fd61d
Instruction ID: 336dc055647334309ed15eeaf3a5e3eb7587a142aaa9ef5400b019168f859928
Opcode Fuzzy Hash: 4f107bf03efc21ac61423fc382774290e7eaa22c89254d99b996c26d108fd61d
Instruction Fuzzy Hash: 6E418D72A30101ABDB257FFDDC46BBF3AA4EF41371F240226FC18C6192E67488795A65

Function 002A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002A62E2
ScreenToClient.USER32(?,?), ref: 002A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 002A6382

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d635fea5b6cd1179e7a3117fd176e745021aeec6afef3d1d7afc935a4f9c84f9
Instruction ID: 0ad22df74b0617d6b742db82b5d8cbcbcdd5cd38ea3b809be470e6ecc980543c
Opcode Fuzzy Hash: d635fea5b6cd1179e7a3117fd176e745021aeec6afef3d1d7afc935a4f9c84f9
Instruction Fuzzy Hash: 2F514D7091024AEFCF14DF54D888AAE7BB5EF56760F1481A9F8159B290DB30EDA1CB50

Function 00291AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00291AFD
WSAGetLastError.WSOCK32 ref: 00291B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00291B8A
WSAGetLastError.WSOCK32 ref: 00291B94

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 5a70b563631661add13757189467b06279bcc972296b46d1b30372ae6b21e1fc
Instruction ID: 9bdd24caadba5de7755dbd8e99cdfed930c0c27ebfa750c0c4177cc57f6456f7
Opcode Fuzzy Hash: 5a70b563631661add13757189467b06279bcc972296b46d1b30372ae6b21e1fc
Instruction Fuzzy Hash: FA41F5346102016FDB20AF24D88AF6977E5AB54708F54C448F9158F3D3DB72EDA2CB90

Function 0024B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25efbbd5d3c35ddc7675acc22976b1cdf30247c526ab2500a1ec5401c882b639
Instruction ID: ad80f99cf28777a9448e7611c0e7ef0876b1ad216a4b96aca3d91033a03df6c4
Opcode Fuzzy Hash: 25efbbd5d3c35ddc7675acc22976b1cdf30247c526ab2500a1ec5401c882b639
Instruction Fuzzy Hash: 8E411972A20704BFD72A9F38CC45BAABBE9EF88710F10452AF555DB681D771D9318B80

Function 002856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00285783
GetLastError.KERNEL32(?,00000000), ref: 002857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002857FA

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 02fe09cbacb66c406d34676f274cdd93a3be85af0e5d0ec0116631f1a6996528
Instruction ID: 60f0671ea9b34198dacc14200f5154b16735213f260a2f2387e98795b358aac7
Opcode Fuzzy Hash: 02fe09cbacb66c406d34676f274cdd93a3be85af0e5d0ec0116631f1a6996528
Instruction Fuzzy Hash: 45411A39610611DFCB11EF15C444A5EBBF2AF99320B198489EC4AAB362CB30FD91CF91

Function 0024D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00236D71,00000000,00000000,002382D9,?,002382D9,?,00000001,00236D71,?,00000001,002382D9,002382D9), ref: 0024D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0024D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0024D9AB
__freea.LIBCMT ref: 0024D9B4

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f9d8953ebab830ef9ae4e20580736fdf7b3368f6f03ff9c6b91d4357ba665247
Instruction ID: 164aea8961a45094f6269f5b298cebecb6ca2395aa4e61c18173eac02f95a7e6
Opcode Fuzzy Hash: f9d8953ebab830ef9ae4e20580736fdf7b3368f6f03ff9c6b91d4357ba665247
Instruction Fuzzy Hash: E831CD72A2020AABDF28DF64DC85EAE7BA5EB41710F154168FC04D7290EB35DD64CBA0

Function 002A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 002A5352
GetWindowLongW.USER32(?,000000F0), ref: 002A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002A53A8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: a43fb3e9aba5f74db3aac4dcf5a65eb923ded8488771d314c7e13cf5c80331ff
Instruction ID: b4ea04056a4d3f8bc26e8eadd5875490bf5d568082fcc7a7f636f8c801f1f123
Opcode Fuzzy Hash: a43fb3e9aba5f74db3aac4dcf5a65eb923ded8488771d314c7e13cf5c80331ff
Instruction Fuzzy Hash: 19310430A75A29FFEF349E14DC49BEA7765AB86390F584081FA00961E1CFF099A0DB41

Function 0027AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0027ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0027AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0027AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0027ACC6

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 57506df14775ca2e9cc9e0e8bc6d9dfe0e238d5a672fc18c69d35664d78d8dda
Instruction ID: b6babdd93649e83caeda36b950e372f37cefd22e3a3f54f173075cee44fa2345
Opcode Fuzzy Hash: 57506df14775ca2e9cc9e0e8bc6d9dfe0e238d5a672fc18c69d35664d78d8dda
Instruction Fuzzy Hash: 0131F830A2071A7FEF26CF658809BFE7BA5ABC5330F14C21FE489521D1C77589A58752

Function 002A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002A769A
GetWindowRect.USER32(?,?), ref: 002A7710
PtInRect.USER32(?,?,002A8B89), ref: 002A7720
MessageBeep.USER32(00000000), ref: 002A778C

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 11f46c37c1dcbb5f33ef24b981fdf31ea1d135b7128a542a051315c5e2b72667
Instruction ID: 6866c70756fa8dce8e3c6f17c877fae46070e8f8015324a467ca03c61fa6d9d8
Opcode Fuzzy Hash: 11f46c37c1dcbb5f33ef24b981fdf31ea1d135b7128a542a051315c5e2b72667
Instruction Fuzzy Hash: 1741A938A19255DFCB01CF58DC98EA9B7F4FB4A304F1940A8E8149F261CB30A9A1CF94

Function 002A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002A16EB

Part of subcall function 00273A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00273A57
Part of subcall function 00273A3D: GetCurrentThreadId.KERNEL32 ref: 00273A5E
Part of subcall function 00273A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002725B3), ref: 00273A65

GetCaretPos.USER32(?), ref: 002A16FF
ClientToScreen.USER32(00000000,?), ref: 002A174C
GetForegroundWindow.USER32 ref: 002A1752

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f165874ea595218e5dfd7026bc4e58ac26c116e037b5779c605eb4dedda78f45
Instruction ID: 28285bc3c313962d6fb64ba13e88fde92f73ed2b104d3fb7ef87effef2077fe9
Opcode Fuzzy Hash: f165874ea595218e5dfd7026bc4e58ac26c116e037b5779c605eb4dedda78f45
Instruction Fuzzy Hash: B0313E75D10249AFC704EFA9C8858EEB7F9EF59304B5080AAE415E7211EB319E55CFA0

Function 0027DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

_wcslen.LIBCMT ref: 0027DFCB
_wcslen.LIBCMT ref: 0027DFE2
_wcslen.LIBCMT ref: 0027E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0027E018

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 721b5e4c9837f4e4919c1053cbbde0e21bfd946a5bf9fd3a3125f5aa787696a1
Instruction ID: 5dcbe4ef8e4b4834b46aed4ef3ed22d3094b9fea8dcab956e88b34270d7f000d
Opcode Fuzzy Hash: 721b5e4c9837f4e4919c1053cbbde0e21bfd946a5bf9fd3a3125f5aa787696a1
Instruction Fuzzy Hash: 6621C971910215EFCB10EFA8D982BAEB7F8EF49750F1540A5E809BB241D6709D51CFB1

Function 002A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

GetCursorPos.USER32(?), ref: 002A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00267711,?,?,?,?,?), ref: 002A9016
GetCursorPos.USER32(?), ref: 002A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00267711,?,?,?), ref: 002A9094

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d3ee9716c55e80ef1542155f98474c259592b67585ca08226c73e6068389c208
Instruction ID: 699a54e66c585fdf77d4781c8ca0e644b2f1055f06cd0fb73da3d85cbeda2103
Opcode Fuzzy Hash: d3ee9716c55e80ef1542155f98474c259592b67585ca08226c73e6068389c208
Instruction Fuzzy Hash: 1321A135610018FFDB258F95DC98EFA7BB9EF8A390F144065F9055B261CB3199A0DF60

Function 0027D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002ACB68), ref: 0027D2FB
GetLastError.KERNEL32 ref: 0027D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0027D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002ACB68), ref: 0027D376

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8d099880e283b327158b4dccfc09097ca7585f87dd563a95eee63a7e0c63e9f5
Instruction ID: ab55f4b4d60a8c440cd8977290dda313dd13baf543360b1e8b95bfde79b2cfbf
Opcode Fuzzy Hash: 8d099880e283b327158b4dccfc09097ca7585f87dd563a95eee63a7e0c63e9f5
Instruction Fuzzy Hash: 2A21A3705252029F8710DF24D8858AAB7F4EE56328F208A5DF89DC32A1DB31D956CF93

Function 00271571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00271014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0027102A
Part of subcall function 00271014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00271036
Part of subcall function 00271014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271045
Part of subcall function 00271014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0027104C
Part of subcall function 00271014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002715BE
_memcmp.LIBVCRUNTIME ref: 002715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00271617
HeapFree.KERNEL32(00000000), ref: 0027161E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 10854d19091dc087fb44e1e45f25313810e0ee53cb84a4b982c9c550b0d48e82
Instruction ID: 3f92785b570273f4b27568375161e2c308b2f26cf2800de2ba0b626c4ff76133
Opcode Fuzzy Hash: 10854d19091dc087fb44e1e45f25313810e0ee53cb84a4b982c9c550b0d48e82
Instruction Fuzzy Hash: 6221AF71E10109EFDF14DFA8C949BEEB7B8EF44344F188459E449AB241E730AA25DFA0

Function 002A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 002A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002A2840

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a15416f6a9457e63bfd756a4074826cd649f1073ea2251aba787522746571509
Instruction ID: fec04a5019117d11558f0cdf24d295a07e1eb3be686916828c37eeab27d2efe4
Opcode Fuzzy Hash: a15416f6a9457e63bfd756a4074826cd649f1073ea2251aba787522746571509
Instruction Fuzzy Hash: 3721E231214111EFD7149B28CC44FAAB795AF46324F248158F4268B6E2CF75ED96CB90

Function 002778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00278D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0027790A,?,000000FF,?,00278754,00000000,?,0000001C,?,?), ref: 00278D8C
Part of subcall function 00278D7D: lstrcpyW.KERNEL32(00000000,?,?,0027790A,?,000000FF,?,00278754,00000000,?,0000001C,?,?,00000000), ref: 00278DB2
Part of subcall function 00278D7D: lstrcmpiW.KERNEL32(00000000,?,0027790A,?,000000FF,?,00278754,00000000,?,0000001C,?,?), ref: 00278DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00278754,00000000,?,0000001C,?,?,00000000), ref: 00277923
lstrcpyW.KERNEL32(00000000,?,?,00278754,00000000,?,0000001C,?,?,00000000), ref: 00277949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00278754,00000000,?,0000001C,?,?,00000000), ref: 00277984

Strings

cdecl, xrefs: 0027797B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 95ea345f095c930031afbcb32976b53fe65266375239b243ccbf081fcb1164b3
Instruction ID: 3dbea55a393e1219d24664ee8a0c6ae552f350584872d13fb9373546d8eeae2c
Opcode Fuzzy Hash: 95ea345f095c930031afbcb32976b53fe65266375239b243ccbf081fcb1164b3
Instruction Fuzzy Hash: 5B11E93A211342EBCB155F38D849D7B77A5FF95350B50802AFA4AC7264EF319C21CB91

Function 002A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 002A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 002A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0028B7AD,00000000), ref: 002A7D6B

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: a8dc2010c092c7532545046527a386f05695aadcb54503c41c71d400dc874517
Instruction ID: 1db2f27552b9319b1d05f81733ab51752f2169fac6a6e35b0228262e0b260df3
Opcode Fuzzy Hash: a8dc2010c092c7532545046527a386f05695aadcb54503c41c71d400dc874517
Instruction Fuzzy Hash: FC11A231624A65AFCB109F28DC08A6A3BA5AF46370B254724F835DB2F0DB309970CB54

Function 002A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002A56BB
_wcslen.LIBCMT ref: 002A56CD
_wcslen.LIBCMT ref: 002A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A5816

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 4fc499f5c34cdd3ec0c4a00078afdedee0ede52330867a895c557a5f3fb57df7
Instruction ID: 531c0d1e0e47fd6fc8ccfa1f019729eaa83fb984630af5a122be8ec346b4d9cb
Opcode Fuzzy Hash: 4fc499f5c34cdd3ec0c4a00078afdedee0ede52330867a895c557a5f3fb57df7
Instruction Fuzzy Hash: 0611B17163062AD7DB20DF619C85AEF77ACBF16760F104066F915D6081EFB09AA4CFA0

Function 00241D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cb1f01a039ae99939d8ef278115a5c108b6805f48965bcf06b411f4d17c63b
Instruction ID: e739fd5fc6b5cbb6399896bc4b2d93ce2a8ba3ae8cd64dc063a8a94ffb10bbf0
Opcode Fuzzy Hash: e5cb1f01a039ae99939d8ef278115a5c108b6805f48965bcf06b411f4d17c63b
Instruction Fuzzy Hash: E7017CF2A25A16BEF6192A797CC0F27761DDF417B8B341325F535511D2DB608CB08570

Function 00271A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00271A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00271A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00271A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00271A8A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ec8ec1b21bfe35e4268e3c490e6f1a8cec44e10390a076d585f8b9ae054ca688
Instruction ID: 6a0a8be1f571fcd89e2e00c3d6e63b1e4aeddef1c474112438f66bf4e95051c7
Opcode Fuzzy Hash: ec8ec1b21bfe35e4268e3c490e6f1a8cec44e10390a076d585f8b9ae054ca688
Instruction Fuzzy Hash: E211393AD01219FFEB10DBA8CD85FADBB78EF08750F204091EA04B7294D6716E60DB94

Function 0027E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0027E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0027E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0027E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0027E24D

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 190a7c2de8ee4b471ed528ed91b257ce6b2e4509ffcd48b4a39d16d75b2b87c9
Instruction ID: 17ea7e7469346c9a6d9fd8e8dc428a28e9c2290c9285dcd4027262857f03e136
Opcode Fuzzy Hash: 190a7c2de8ee4b471ed528ed91b257ce6b2e4509ffcd48b4a39d16d75b2b87c9
Instruction Fuzzy Hash: 45112B72A14254BBCB019FA8BC4DA9F7FAC9B46320F1182A5FC18D7295DAB0CD1087B0

Function 0023D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0023CFF9,00000000,00000004,00000000), ref: 0023D218
GetLastError.KERNEL32 ref: 0023D224
__dosmaperr.LIBCMT ref: 0023D22B
ResumeThread.KERNEL32(00000000), ref: 0023D249

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b7c530cc40451db1f43f1f93f3775c0470dbaf6145bcb84fcc57621928bec3e2
Instruction ID: 3545bb1817adb169f51037035a71b588a9f808ab59f7d56f4e9a13f5b342441c
Opcode Fuzzy Hash: b7c530cc40451db1f43f1f93f3775c0470dbaf6145bcb84fcc57621928bec3e2
Instruction Fuzzy Hash: D90126B2824204BBCB105FA5FC09BAB7A68DF82730F200219FC24921D1CF70C820CAA0

Function 002A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

GetClientRect.USER32(?,?), ref: 002A9F31
GetCursorPos.USER32(?), ref: 002A9F3B
ScreenToClient.USER32(?,?), ref: 002A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 002A9F7A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 6cc1ee1e4c5a560c6ce27b77aba9a0d1ae61800c3fae9c1a31cf555b7102e71c
Instruction ID: 5bb4417d83b795065bc1f4f9053b4e4d3ff37f0913667292372b9476a0b8119e
Opcode Fuzzy Hash: 6cc1ee1e4c5a560c6ce27b77aba9a0d1ae61800c3fae9c1a31cf555b7102e71c
Instruction Fuzzy Hash: 0211483291015AAFDF10DFA9DC899EE77B8FB46311F500461F901E3540DB30BAA1CBA1

Function 0021600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0021604C
GetStockObject.GDI32(00000011), ref: 00216060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0021606A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 685e88f92739e1f1e4121a96f3a2f6d3686b71bfead3d8b2893aa9bfd471d7c0
Instruction ID: 224e3ad8ad06bd4ab245b75aa59b63805986bee9a33935a3550100d7540d02ca
Opcode Fuzzy Hash: 685e88f92739e1f1e4121a96f3a2f6d3686b71bfead3d8b2893aa9bfd471d7c0
Instruction Fuzzy Hash: 7D116D72511549BFEF129FA49C48EEEBBADFF1D3A4F140215FA1452110DB329CA0DBA0

Function 00233B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00233B56

Part of subcall function 00233AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00233AD2
Part of subcall function 00233AA3: ___AdjustPointer.LIBCMT ref: 00233AED

_UnwindNestedFrames.LIBCMT ref: 00233B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00233B7C
CallCatchBlock.LIBVCRUNTIME ref: 00233BA4

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: b23a545c2edd75e6b185bb5a05029c5232675a4db930ddadfa1c11480a5ee505
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0F0129B2110149BBDF12AE95CC42EEB7B6AEF48758F044054FE4866121C736EA71DFA0

Function 00243073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002113C6,00000000,00000000,?,0024301A,002113C6,00000000,00000000,00000000,?,0024328B,00000006,FlsSetValue), ref: 002430A5
GetLastError.KERNEL32(?,0024301A,002113C6,00000000,00000000,00000000,?,0024328B,00000006,FlsSetValue,002B2290,FlsSetValue,00000000,00000364,?,00242E46), ref: 002430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0024301A,002113C6,00000000,00000000,00000000,?,0024328B,00000006,FlsSetValue,002B2290,FlsSetValue,00000000), ref: 002430BF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ba8931e33bb0e0d6941f9da7ca84bff0acbd3ed674a8fb31a22c130d2a2efae0
Instruction ID: fe55c722081547982f167a622ca8031f10c3714c1f4c8e0f611ff8b47e6c714c
Opcode Fuzzy Hash: ba8931e33bb0e0d6941f9da7ca84bff0acbd3ed674a8fb31a22c130d2a2efae0
Instruction Fuzzy Hash: 3001F732331223ABCB35CF78AC88A577BD8AF46B61B200720F905E7140CB21D925C6E0

Function 00277464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0027747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00277497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002774CA

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e8e90c4f5622c1630e3c542c944f39924092706d12044a3dbdff9a4f064bdb12
Instruction ID: 750df4380a3ec1b5bedb82018cf75ec99638d1a66c35d3aac6d4fc4fe04efd4f
Opcode Fuzzy Hash: e8e90c4f5622c1630e3c542c944f39924092706d12044a3dbdff9a4f064bdb12
Instruction Fuzzy Hash: D911A1B52153119BF7208F24EC18F927FFCEB04B00F10C569A61AD6151DBB0E914DB60

Function 0027B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B126

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e6dd250862cbe06e7d074bd696c359946453dcdd4389e0d8429597e58fe12581
Instruction ID: 7757e93b4e5a3666749fac113ea7d748e62efd9399d0f2d88764ba23992776c4
Opcode Fuzzy Hash: e6dd250862cbe06e7d074bd696c359946453dcdd4389e0d8429597e58fe12581
Instruction Fuzzy Hash: A5118B30E2152DE7CF01AFE4E9687EEBB78FF0A311F108096D949B2181CB308661CB51

Function 002A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002A7E33
ScreenToClient.USER32(?,?), ref: 002A7E4B
ScreenToClient.USER32(?,?), ref: 002A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002A7E8A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a5223feb6054afffb6976f31e1ba2cbd62801ca4f93ec29ccdf9f8fd4d2367ba
Instruction ID: c441b21ef8f97d34066bffe782f19c69a6adf1c006e799305eb7ad1769a23c89
Opcode Fuzzy Hash: a5223feb6054afffb6976f31e1ba2cbd62801ca4f93ec29ccdf9f8fd4d2367ba
Instruction Fuzzy Hash: 9F1143B9D0020AAFDB41DF98D9849EEBBF9FB09310F505056E915E2210DB35AA54CF50

Function 00272DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00272DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00272DD6
GetCurrentThreadId.KERNEL32 ref: 00272DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00272DE4

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: db7da109d7d4073431fd3f56c9c6c765040940980c894459acec21da27cdddb2
Instruction ID: e0469c0acad6397cbd98ac743fbf0bf852d2c446e38640c296484e932ac6b361
Opcode Fuzzy Hash: db7da109d7d4073431fd3f56c9c6c765040940980c894459acec21da27cdddb2
Instruction Fuzzy Hash: 70E06D71611224BBD7205F63AC0DEEB3E6CEB83FA1F104015F109D10809AA08844C6B0

Function 002A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00229639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00229693
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296A2
Part of subcall function 00229639: BeginPath.GDI32(?), ref: 002296B9
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 002A8887
LineTo.GDI32(?,?,?), ref: 002A8894
EndPath.GDI32(?), ref: 002A88A4
StrokePath.GDI32(?), ref: 002A88B2

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9ff9dc3af0a0451be90c3fc35ee1900a17c76122d06aa5793bbf5f8e52af2286
Instruction ID: 0ca67af6e67df3d4525cbe64481d454bc40dc61bf5f3dcc853598acf05656f56
Opcode Fuzzy Hash: 9ff9dc3af0a0451be90c3fc35ee1900a17c76122d06aa5793bbf5f8e52af2286
Instruction Fuzzy Hash: 2EF03A36055299BBDB125F94BC0DFCE3A59AF06310F548000FA11650E2CF795561CFA9

Function 002298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002298CC
SetTextColor.GDI32(?,?), ref: 002298D6
SetBkMode.GDI32(?,00000001), ref: 002298E9
GetStockObject.GDI32(00000005), ref: 002298F1

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a41f488b54878628067af8e209a1d74fd6bc14605d1cd73bea3a9e1c29525f72
Instruction ID: 29392e2ffa6e30d6fd419b284e4e668d3e40446c834ca1df97475f3033ee5ae5
Opcode Fuzzy Hash: a41f488b54878628067af8e209a1d74fd6bc14605d1cd73bea3a9e1c29525f72
Instruction Fuzzy Hash: C0E06D31244280ABDB215F74BC0DBE83F60EB13336F248219F6FA581E1CB7246949B10

Function 0027162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00271634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002711D9), ref: 0027163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002711D9), ref: 00271648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002711D9), ref: 0027164F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a06dcd641581b9d5678093020d52b9b46879f30bb5c2dc13f193401b28dba1a3
Instruction ID: a3f47065ecc10556b1d8b1ebbbf243ee6a27c4a0420533b336d9271dc871fbc4
Opcode Fuzzy Hash: a06dcd641581b9d5678093020d52b9b46879f30bb5c2dc13f193401b28dba1a3
Instruction Fuzzy Hash: 85E08631601221DBD7201FA4BD0DB473B7CAF46791F248848F745C9080DE344550C750

Function 0026D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0026D858
GetDC.USER32(00000000), ref: 0026D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0026D882
ReleaseDC.USER32(?), ref: 0026D8A3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d2568f800c817743f2c49863fa790cb1e53d77a3160b920179b858817506811a
Instruction ID: 9a4ad128913ea096098d1a23f71dbe83bec56bb42e5e5ef5b8053bacadd2a8c0
Opcode Fuzzy Hash: d2568f800c817743f2c49863fa790cb1e53d77a3160b920179b858817506811a
Instruction Fuzzy Hash: DEE01AB4810204EFCB419FA0E80C66DBBF5FB49710F208049E816E7360CB788952AF40

Function 0026D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0026D86C
GetDC.USER32(00000000), ref: 0026D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0026D882
ReleaseDC.USER32(?), ref: 0026D8A3

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b7bffb8014a5001b017f421375d96555c00b170823e83da1b4be381922457499
Instruction ID: c1bb98e2b451ce756b70a050111000364f7dfba54ba894d34888b975f30f35f5
Opcode Fuzzy Hash: b7bffb8014a5001b017f421375d96555c00b170823e83da1b4be381922457499
Instruction Fuzzy Hash: 82E01A74810204EFCB419FA0E80C66DBBF5BB48710B208049E916E7360CB3899119F40

Function 00284D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00284ED4

Strings

*, xrefs: 00284E10
LPT, xrefs: 00284DFB

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: fb1bfe365ab801dd7d53b2db6c6cdfa446c3084c311ecf4f7d9a5ba13e8e39b6
Instruction ID: 115cbfbd91a2dc3774f32ad1eea7dc25c5652b9176d981bdf36bd5ef2e69de49
Opcode Fuzzy Hash: fb1bfe365ab801dd7d53b2db6c6cdfa446c3084c311ecf4f7d9a5ba13e8e39b6
Instruction Fuzzy Hash: 12917179A112069FCB14EF54C484EA9BBF1BF58304F14809DE90A5F7A2C771ED95CB90

Function 0023E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0023E30D

Strings

pow, xrefs: 0023E2E5, 0023E302

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c0bfcab42c868d04d89ce8eaff850452e4a82930aa0c116f7fb6aec99e8752c0
Instruction ID: 1a89ae4386f1f12b5f9c97c964d39cb9d408c8fa48fb2aed909ce2929dfdb984
Opcode Fuzzy Hash: c0bfcab42c868d04d89ce8eaff850452e4a82930aa0c116f7fb6aec99e8752c0
Instruction Fuzzy Hash: 33514DA1E3C203D6CF197F24D9453BA3BA4EF40740F354A99E4B5422E9DB348CB99A46

Function 00297771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0026569E,00000000,?,002ACC08,?,00000000,00000000), ref: 002978DD

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

CharUpperBuffW.USER32(0026569E,00000000,?,002ACC08,00000000,?,00000000,00000000), ref: 0029783B

Strings

<s-, xrefs: 002977C8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s-
API String ID: 3544283678-2482877350
Opcode ID: 9433d1fa7676b39a07b57ec44bb49a74b693b79c40143dd54c707da78c703fea
Instruction ID: 13b679b5ceff4d30093409969121c356a92fc524aca00d95ea87dc1f22c39d1c
Opcode Fuzzy Hash: 9433d1fa7676b39a07b57ec44bb49a74b693b79c40143dd54c707da78c703fea
Instruction Fuzzy Hash: 6E614C72934119AACF04EFE4CC95DFDB3B8FF24700B544126E542A7191EF70AAA5DBA0

Function 0022E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0022E1B1

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 318336bfacb49c9122bce901c70db5181374641478d0158f94c9768680cf3417
Instruction ID: a7b9dc70bc3c7eefad5e783c49af0ea6cbb24ba07e0eb4a2a5d9e837508ef0b8
Opcode Fuzzy Hash: 318336bfacb49c9122bce901c70db5181374641478d0158f94c9768680cf3417
Instruction Fuzzy Hash: 55517838520203EFDF15DF68D041AFABBA8EF25310F254015EC929B2C0D6309DA2DBA0

Function 0022F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0022F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0022F2BB

Strings

@, xrefs: 0022F2AF

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: fce487ff10e368480a6ba6c85e53d55e97f90960c64e97cb544d69c59a618c32
Instruction ID: 7b4a8fa14cf451162002f107dc870614437be7047fc9b8d967700ce3e4cb6792
Opcode Fuzzy Hash: fce487ff10e368480a6ba6c85e53d55e97f90960c64e97cb544d69c59a618c32
Instruction Fuzzy Hash: EF5134714187449BD320AF10E88ABAFBBF8FB95300F91885DF199421A5EB318579CB66

Function 00295745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002957E0
_wcslen.LIBCMT ref: 002957EC

Strings

CALLARGARRAY, xrefs: 002957E6, 002957EB

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d23b70c8a982ccb088fe7da70c7c12b3e69d8a77e49ca2b0a25d9c86ed5144e3
Instruction ID: 46d13a8614d1e4b70fec1be97051303b6dc93f0b4fcbd63d775a5173d55fa312
Opcode Fuzzy Hash: d23b70c8a982ccb088fe7da70c7c12b3e69d8a77e49ca2b0a25d9c86ed5144e3
Instruction Fuzzy Hash: 3741AE71A2021A9FCF15DFA8C8859EEBBF5FF59320F108069E505A7251EB709DA1CF90

Function 0028D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0028D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0028D13A

Strings

|, xrefs: 0028D10B

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 7d48d1c3ee618d4ed50fe369dcebb51037bf7cbbbf243c0e235adbf59b621ec5
Instruction ID: 04888f2f5b196ccb783be25881505da79e6657b1ce60cf47f0888a93fa324b13
Opcode Fuzzy Hash: 7d48d1c3ee618d4ed50fe369dcebb51037bf7cbbbf243c0e235adbf59b621ec5
Instruction Fuzzy Hash: 63311B75D21109ABCF15EFA4CC89EEE7FB9FF14300F100119E819A61A5DB31A966DF50

Function 002A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002A365C

Strings

static, xrefs: 002A35BC

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 2b30d09332186c62d57b747d130950ac63c243a4e040c4225cc6b7f52a3ce538
Instruction ID: 9d65892481c90921ba6381abed4eaab83eb1627e6dbf20c54046d0b24ffeb790
Opcode Fuzzy Hash: 2b30d09332186c62d57b747d130950ac63c243a4e040c4225cc6b7f52a3ce538
Instruction Fuzzy Hash: C8318C71520205ABDB10DF68DC80EFB73ADFF89724F108619F8A597290DA31ADA19B64

Function 002A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 002A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A4634

Strings

', xrefs: 002A458E

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 316d84adafb31924a078e381f3059d900537ba4715654f42c8d31e46ccafa1b9
Instruction ID: eefaed8118d88fab61ea92c3efcf491a69c54d9fc3071c95109e59968292843d
Opcode Fuzzy Hash: 316d84adafb31924a078e381f3059d900537ba4715654f42c8d31e46ccafa1b9
Instruction Fuzzy Hash: 1E312874A1120A9FDB14DF69C980BDA7BB9FF9A700F50406AE904AB341DBB0E951CF90

Function 002A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A3287

Strings

Combobox, xrefs: 002A3249

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 545327e51a7e00eb876a9466c4238e3c384ec104cdbe4512a86093edf234af43
Instruction ID: 67fb3b6b60cf525607308e1efbaed461e440a90ed6e43ebca6844c865bc1871b
Opcode Fuzzy Hash: 545327e51a7e00eb876a9466c4238e3c384ec104cdbe4512a86093edf234af43
Instruction Fuzzy Hash: B411E6713202097FFF15DE54DC84FBB375AEB96364F100125F91897290DA319D618B60

Function 002A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0021600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0021604C
Part of subcall function 0021600E: GetStockObject.GDI32(00000011), ref: 00216060
Part of subcall function 0021600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0021606A

GetWindowRect.USER32(00000000,?), ref: 002A377A
GetSysColor.USER32(00000012), ref: 002A3794

Strings

static, xrefs: 002A3757

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b17a1c4950ccc0fdd65ac2dd8f2dbea1d7e86a2270d75c0808e3ce9ff8ae0fe1
Instruction ID: a759fe289d60192f2e17b62ebc58c5160a04f470e99f4f80c4bced2c959aa19b
Opcode Fuzzy Hash: b17a1c4950ccc0fdd65ac2dd8f2dbea1d7e86a2270d75c0808e3ce9ff8ae0fe1
Instruction Fuzzy Hash: 07112CB262020AAFDB00DFA8DC45EFABBF8FB09354F104515F955E2250DB75E8619B50

Function 0028CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0028CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0028CDA6

Strings

<local>, xrefs: 0028CD66

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d47f515d34048b3344f1c2047049ac95a8ad7ae117f8fefb2bf4128feb3c933e
Instruction ID: 07f9c7825bafc4e841f3cb60f3e98c71dc3f6337635bcb736988b7179ef52d44
Opcode Fuzzy Hash: d47f515d34048b3344f1c2047049ac95a8ad7ae117f8fefb2bf4128feb3c933e
Instruction Fuzzy Hash: 3B11A7751266327AD7286B668C49EE7BE5CEB127A4F204236B109831C0D7705861D7F0

Function 002A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002A34BA

Strings

edit, xrefs: 002A348F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e8fe61d51ad981c00e44ce84b709bc31394d69d456c2ac8b227986f2a09ad162
Instruction ID: 29e8767cd0bd34433804724bce6002275e93bec5f12efff46ca11b0f5ef1b79d
Opcode Fuzzy Hash: e8fe61d51ad981c00e44ce84b709bc31394d69d456c2ac8b227986f2a09ad162
Instruction Fuzzy Hash: 5D119171520209AFEB11CE64EC44AFB376AEF1A774F604324F965971D0CB71DCA19B50

Function 00276C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

CharUpperBuffW.USER32(?,?,?), ref: 00276CB6
_wcslen.LIBCMT ref: 00276CC2

Strings

STOP, xrefs: 00276CBC, 00276CC1

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 4809b2d6766b8df8f1593c3f58db2df86958e97a04002d72ad2f5244cef82c1b
Instruction ID: 82f2ebb9a87cfd71c9f99bf2046d8a80390d76bcd1e33e82f302d00e022dd555
Opcode Fuzzy Hash: 4809b2d6766b8df8f1593c3f58db2df86958e97a04002d72ad2f5244cef82c1b
Instruction Fuzzy Hash: F50104326309278BCB21AFFDDC889BF33A4EA65710B104539E85696190EB31D960CA50

Function 00271CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 00273CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00273CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00271D4C

Strings

ComboBox, xrefs: 00271CEB
ListBox, xrefs: 00271D16

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e45293326076db87b0089ab39716c9988e690ed8be7acd50489a367299039d26
Instruction ID: f5b77b52d00eec7818c3b2efdfe7d4d23e0e329a6d0ce7e2f743084ee36b9292
Opcode Fuzzy Hash: e45293326076db87b0089ab39716c9988e690ed8be7acd50489a367299039d26
Instruction Fuzzy Hash: AD012831620214ABCB28EFA8CC11CFE73A8FF57390B10451BF866573C1EA7059788E60

Function 00271BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 00273CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00273CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00271C46

Strings

ComboBox, xrefs: 00271BE5
ListBox, xrefs: 00271C10

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b43af95c78c74022c30ff397a539199e9e135969e2afc2bdb4920bb7817837f7
Instruction ID: c510bcfc564e13238b6fd40e86412e66e1e58f0b80e1c9603edc11467e74b171
Opcode Fuzzy Hash: b43af95c78c74022c30ff397a539199e9e135969e2afc2bdb4920bb7817837f7
Instruction Fuzzy Hash: 3801FC7166011467CB15EBD4C9529FF73E89F16340F20401FE80A672C1EA709E789AB2

Function 00271C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 00273CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00273CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00271CC8

Strings

ComboBox, xrefs: 00271C69
ListBox, xrefs: 00271C94

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 04db3c7c5ad57a6860cacdf6db53f577a4953c65da9a69ed3575be9a9ebe4902
Instruction ID: 5b5255f2e8fe57811a7a73e56fc5e66352ce66257861582cd193ca1ae167a075
Opcode Fuzzy Hash: 04db3c7c5ad57a6860cacdf6db53f577a4953c65da9a69ed3575be9a9ebe4902
Instruction Fuzzy Hash: E001DB7166111567CB15EBD5CA12AFE73EC9F22340F14401BB84673281EA709F78DAB2

Function 0022A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0022A529

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Strings

,%., xrefs: 0022A509
3y&, xrefs: 0022A545, 0022A54D, 0022A552

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%.$3y&
API String ID: 2551934079-2574036372
Opcode ID: d31d2c9882f7f5317de6a5a909dc560a486b2da4a5ae8130e051bb7357ee2f2e
Instruction ID: b5981f9280d3bb059b276d62751f74cc193f2ad0f1ca1e2f8899103f62e710dc
Opcode Fuzzy Hash: d31d2c9882f7f5317de6a5a909dc560a486b2da4a5ae8130e051bb7357ee2f2e
Instruction Fuzzy Hash: 5B012B32B70660A7C504F7A8F9ABA9E73A89B06720FD00025F9065B5C2DE509DB58ED7

Function 00271D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 00273CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00273CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00271DD3

Strings

ComboBox, xrefs: 00271D75
ListBox, xrefs: 00271DA0

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0d0829de0dd9fc7cd1ce02e5609726f0499f69eebf63037e73f7a8ae4cfe25cc
Instruction ID: e615836655dbabf36a4391828aaa76fe47c0a801cd81402c621a7ca00b384a21
Opcode Fuzzy Hash: 0d0829de0dd9fc7cd1ce02e5609726f0499f69eebf63037e73f7a8ae4cfe25cc
Instruction Fuzzy Hash: 2BF0F971A7121466C718EBA8CC52BFE73A8AF16340F04091BF866632C1DA7059788AA0

Function 002A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002E3018,002E305C), ref: 002A81BF
CloseHandle.KERNEL32 ref: 002A81D1

Strings

\0., xrefs: 002A818A

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0.
API String ID: 3712363035-2574726650
Opcode ID: 1eba2f4db613bc2efccf379f8b2330686bef87274970a2df07e04bf2e0ee13bb
Instruction ID: a70bafd2a686982634856406212d18bd49f8590b8b904243fdb2005015d7b22b
Opcode Fuzzy Hash: 1eba2f4db613bc2efccf379f8b2330686bef87274970a2df07e04bf2e0ee13bb
Instruction Fuzzy Hash: D6F054F1690340BBE720E761FC4DFB73A5CDB05752F000460BB08DA1A1DA758A1486B4

Function 0029747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00297493
_wcslen.LIBCMT ref: 002974B9

Strings

3, 3, 16, 1, xrefs: 00297483

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a265634f4efd2ea47e0b3750de250e226ba8820302485d495857ca8d4418898b
Instruction ID: 43ac95061c1755017ec26ce0a497ed78ea21bf0572ed6e81f728c9c16007f18e
Opcode Fuzzy Hash: a265634f4efd2ea47e0b3750de250e226ba8820302485d495857ca8d4418898b
Instruction Fuzzy Hash: 39E0AB462342201083302239DCC1B7F4799CFC9760B10282BF880C2267EA888CB183A0

Function 00270B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00270B23

Strings

Error allocating memory., xrefs: 00270B1C
AutoIt, xrefs: 00270B17

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 912fd825ff99fb558cd675330849ffc80084f175828b38129cbee385b45498be
Instruction ID: 6713823ae5891aa4af603039c28c2dee7702ca7c3c9bcea453602a9e21dbc45d
Opcode Fuzzy Hash: 912fd825ff99fb558cd675330849ffc80084f175828b38129cbee385b45498be
Instruction Fuzzy Hash: 51E0D83126432837D21437947D07FC9BA848F06B20F200467F748555C38FE168B04AE9

Function 00230D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0022F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00230D71,?,?,?,0021100A), ref: 0022F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0021100A), ref: 00230D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0021100A), ref: 00230D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00230D7F

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2b84931a86c0d2bf643ff7b6eba004f69637a9a134e2c05225e3a2bbed67dd2d
Instruction ID: 5006ee3ab72cb96fe0e868afa226845d275fccef98f07e01696125683ca942c3
Opcode Fuzzy Hash: 2b84931a86c0d2bf643ff7b6eba004f69637a9a134e2c05225e3a2bbed67dd2d
Instruction Fuzzy Hash: FBE06DB02103518BE3609FB8E698746BBF0EB05740F00496DE882C6655DBB4E4948BA1

Function 0022E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0022E3D5

Strings

0%., xrefs: 0022E3B5
8%., xrefs: 0022E3CA

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%.$8%.
API String ID: 1385522511-764554917
Opcode ID: 3acd96835867d41815b38a2163ee6d8c84a9eb965d4b0295492a838fb2fae095
Instruction ID: f9b9ed2c95660304e8cec4d825218d3a000beea2eadda493d9e8aa2b5022d600
Opcode Fuzzy Hash: 3acd96835867d41815b38a2163ee6d8c84a9eb965d4b0295492a838fb2fae095
Instruction Fuzzy Hash: 9AE020314B0B74DBCE0CDB58B7E899C3359AB05321BD101E4F0034B1D5DBB018659A54

Function 00283017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0028302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00283044

Strings

aut, xrefs: 00283038

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d8bf7a411720b6a0e60e7731bad573479d762e88bdbc6a8ad5c3434be97d8242
Instruction ID: dc14ae46a32994df9cbb2a79cf3e77575cda35fbcc5de6cebf33a46ba1a079be
Opcode Fuzzy Hash: d8bf7a411720b6a0e60e7731bad573479d762e88bdbc6a8ad5c3434be97d8242
Instruction Fuzzy Hash: 4FD05E7250032867DA20A7A4AD0EFCB3B6CDB06750F0002A2BA96E2091DEB09984CAD0

Function 0026D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0026D220

Strings

%.3d, xrefs: 0026D22B
X64, xrefs: 0026D2A8

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 83d78da49dcd8e8ed029355484adfb82e24f02ff2c7ad84341bcf9ab70d0c133
Instruction ID: c1ae8be1c40b5d1c916e888fd5e42a8f032e741803ab5c14d82c0644f81cfa1b
Opcode Fuzzy Hash: 83d78da49dcd8e8ed029355484adfb82e24f02ff2c7ad84341bcf9ab70d0c133
Instruction Fuzzy Hash: 2BD012B1D3811CFACB9096D0DC599B9B37CAB09301F608462FC0691041E7A8D5A86B61

Function 002A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002A233F

Part of subcall function 0027E97B: Sleep.KERNEL32 ref: 0027E9F3

Strings

Shell_TrayWnd, xrefs: 002A2325

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e2aa9293dffdfc807abeca247c0e345c877380f4771d4bb584b91baa3fb67b48
Instruction ID: 00c339d531a2169e2cf376124d7306408241b75700762e7802a0423883af0e86
Opcode Fuzzy Hash: e2aa9293dffdfc807abeca247c0e345c877380f4771d4bb584b91baa3fb67b48
Instruction Fuzzy Hash: AFD022323E0300B7E668B730EC0FFC6BA089B02B00F1049027349AA1D0CCF0A800CE10

Function 002A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A236C
PostMessageW.USER32(00000000), ref: 002A2373

Part of subcall function 0027E97B: Sleep.KERNEL32 ref: 0027E9F3

Strings

Shell_TrayWnd, xrefs: 002A2365

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5a76260697e5a9c19d8a621ded75206b817a1b2064daecfcd8dc57d0e9021da0
Instruction ID: d2af451661cf0b0389f17c839f9b5fb4887a773f5f62d3aab95d053cc61c51dd
Opcode Fuzzy Hash: 5a76260697e5a9c19d8a621ded75206b817a1b2064daecfcd8dc57d0e9021da0
Instruction Fuzzy Hash: 9ED0A9323D0300BBE668A730AC0FFC6A6089B06B00F1049027345AA1D0C8B0A8008A14

Function 0024BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0024BE93
GetLastError.KERNEL32 ref: 0024BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0024BEFC

Memory Dump Source

Source File: 00000000.00000002.1857939666.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1857910587.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858016096.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858201436.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1858226365.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ae674a69f68dcf8ed66acc14728e02f76ea47721fc3130ac0fb7bdb975cf655c
Instruction ID: 2e4d279811b72ba353282f3ba035cbbd3a752269abbae652ad1b335fba668e10
Opcode Fuzzy Hash: ae674a69f68dcf8ed66acc14728e02f76ea47721fc3130ac0fb7bdb975cf655c
Instruction Fuzzy Hash: 5B410434624207AFCF2A8F65DC44ABA7BA4EF42710F254169F95D9B1A2DB30CC25DF50

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.2002351158.00000149E1677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000949564.00000149E3459000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001890378.00000149E28C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2002351158.00000149E1677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2000949564.00000149E3459000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003923363.00000149E13B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988441132.00000149DC37E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1998396556.00000149E67AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2050948209.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897237648.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028065020.00000149E3443000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2050948209.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897237648.00000149E3443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028065020.00000149E3443000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2002351158.00000149E1677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000949564.00000149E3459000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001890378.00000149E28C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2002351158.00000149E1677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000949564.00000149E3459000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003923363.00000149E13B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3061930155.00000225F3903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3062621728.000001D27EC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3061930155.00000225F3903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3062621728.000001D27EC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3061930155.00000225F3903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3062621728.000001D27EC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000002.3062621728.000001D27EC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/. equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000002.3062621728.000001D27EC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/. equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000002.3062621728.000001D27EC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/. equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1998396556.00000149E67AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2045225209.00000149DAA4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2054583485.00000149DAA4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2045225209.00000149DAA4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2054583485.00000149DAA4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1998396556.00000149E678A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:62505 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:62506 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:62507 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:62510 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:62512 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:62513 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:62511 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62625 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62626 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62624 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62633 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62632 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62634 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62635 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:62635 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 62624 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 62515 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62511 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62505 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62513
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62634
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62635
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62515
Source: unknown	Network traffic detected: HTTP traffic on port 62509 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62791
Source: unknown	Network traffic detected: HTTP traffic on port 62633 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62510
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62511
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62632
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62512
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62633
Source: unknown	Network traffic detected: HTTP traffic on port 62625 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 62512 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62506 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62632 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 62626 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62513 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62635 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62507 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62510 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62583 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62624
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62625
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62505
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62626
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62506
Source: unknown	Network traffic detected: HTTP traffic on port 62508 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62507
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62508
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62509
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62583
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62634 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d2095acc-b576-490f-be2a-e88ee9820c13.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d2095acc-b576-490f-be2a-e88ee9820c13.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre