Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542041
MD5:	e2e50901ca2c794cb21bc264f810225d
SHA1:	e979f4725058a44c870160dfe8f0d819b39ab676
SHA256:	173da04353e5305908e799c0f66b6697ce67ec67d80313677130386ec6c78aed
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 2584 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E2E50901CA2C794CB21BC264F810225D)

taskkill.exe (PID: 5060 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6848 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3784 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6728 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6052 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 1264 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 984 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 768 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3500 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb573d6b-3cc0-446c-a205-dc8b324aeea6} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2166b66fb10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6504 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20230927232528 -prefsHandle 3972 -prefMapHandle 4124 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7a6247a-fa7b-4532-9435-f40874f1d950} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2167dadc510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7380 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4744 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6871b4da-64c6-482a-a921-42f46f1556ab} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2167d5c1f10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2133850199.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
00000000.00000003.2134126493.00000000013B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 2584	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_009AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009AED6A

Source: C:\Users\user\Desktop\file.exe

0_2_009AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0099AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0099AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_009C9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0a61ea0d-e
Source: file.exe, 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3658cea6-d
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7cda96c6-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a2e13afd-3

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000203D7EE2377 NtQuerySystemInformation,		17_2_00000203D7EE2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000203D80172B2 NtQuerySystemInformation,		17_2_00000203D80172B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0099D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0099D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00991201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00991201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0099E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0099E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A2046	0_2_009A2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00938060	0_2_00938060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00998298	0_2_00998298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096E4FF	0_2_0096E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096676B	0_2_0096676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C4873	0_2_009C4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095CAA0	0_2_0095CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093CAF0	0_2_0093CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094CC39	0_2_0094CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00966DD9	0_2_00966DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009391C0	0_2_009391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094B119	0_2_0094B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00951394	0_2_00951394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00951706	0_2_00951706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095781B	0_2_0095781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009519B0	0_2_009519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00937920	0_2_00937920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094997D	0_2_0094997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00957A4A	0_2_00957A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00957CA7	0_2_00957CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00951C77	0_2_00951C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00969EEE	0_2_00969EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BBE44	0_2_009BBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00951F32	0_2_00951F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000203D7EE2377	17_2_00000203D7EE2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000203D80172B2	17_2_00000203D80172B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000203D80172F2	17_2_00000203D80172F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000203D80179DC	17_2_00000203D80179DC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00939CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0094F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00950A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@65/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009A37B5 GetLastError,FormatMessageW,

0_2_009A37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009910BF AdjustTokenPrivileges,CloseHandle,		0_2_009910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009A51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0099D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0099D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_009A648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009342A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2290390574.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311480193.0000021686D5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2290390574.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311480193.0000021686D5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2290390574.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311480193.0000021686D5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2290390574.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311480193.0000021686D5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2290390574.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311480193.0000021686D5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2290390574.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311480193.0000021686D5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2290390574.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311480193.0000021686D5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2290390574.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311480193.0000021686D5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2290390574.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311480193.0000021686D5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb573d6b-3cc0-446c-a205-dc8b324aeea6} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2166b66fb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20230927232528 -prefsHandle 3972 -prefMapHandle 4124 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7a6247a-fa7b-4532-9435-f40874f1d950} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2167dadc510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4744 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6871b4da-64c6-482a-a921-42f46f1556ab} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2167d5c1f10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb573d6b-3cc0-446c-a205-dc8b324aeea6} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2166b66fb10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20230927232528 -prefsHandle 3972 -prefMapHandle 4124 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7a6247a-fa7b-4532-9435-f40874f1d950} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2167dadc510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4744 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6871b4da-64c6-482a-a921-42f46f1556ab} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2167d5c1f10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: user32.pdb source: firefox.exe, 0000000E.00000003.2217208258.0000021687575000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2211201148.0000021687680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2210042640.0000021687676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2211201148.0000021687680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdbUGP source: firefox.exe, 0000000E.00000003.2179351124.00000216876CC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203521768.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180406048.00000216876CC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208384448.00000216876CC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178531342.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176991676.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177873997.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2205755026.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178167653.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180110901.00000216876CC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178975620.00000216876CC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2204212898.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202950303.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180831163.00000216876CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2207691033.0000021678A79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2210042640.0000021687676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2207691033.0000021678A79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000E.00000003.2179351124.00000216876CC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203521768.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180406048.00000216876CC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208384448.00000216876CC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178531342.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176991676.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177873997.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2205755026.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178167653.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180110901.00000216876CC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178975620.00000216876CC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2204212898.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202950303.00000216876CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180831163.00000216876CC000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009342DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00950A76 push ecx; ret

0_2_00950A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0094F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009C1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98273

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000203D7EE2377 rdtsc

17_2_00000203D7EE2377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0099DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096C2A2 FindFirstFileExW,	0_2_0096C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A68EE FindFirstFileW,FindClose,	0_2_009A68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009A698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0099D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0099D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009A9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009A979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009A9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009A5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009342DE

Source: firefox.exe, 00000011.00000002.3336259874.00000203D7DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: firefox.exe, 00000012.00000002.3330334867.0000019EE889A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPH
Source: firefox.exe, 00000010.00000002.3330418230.0000013E7E1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 00000011.00000002.3329769344.00000203D754A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0d
Source: firefox.exe, 00000010.00000002.3338496991.0000013E7E800000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3336259874.00000203D7DA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3336816691.0000019EE8C20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000011.00000002.3336259874.00000203D7DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: firefox.exe, 00000010.00000002.3337113059.0000013E7E713000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3336259874.00000203D7DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: firefox.exe, 00000010.00000002.3338496991.0000013E7E800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000203D7EE2377 rdtsc

17_2_00000203D7EE2377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009AEAA2 BlockInput,

0_2_009AEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00962622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00962622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00954CE8 mov eax, dword ptr fs:[00000030h]

0_2_00954CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00990B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00990B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00962622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0095083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009509D5 SetUnhandledExceptionFilter,	0_2_009509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00950C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00950C21

Source: C:\Users\user\Desktop\file.exe

0_2_00991201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00972BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00972BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0099B226 SendInput,keybd_event,

0_2_0099B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009B22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00990B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00991663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00991663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2179938472.00000216876D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00950698 cpuid

0_2_00950698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_009A8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098D27A GetUserNameW,

0_2_0098D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0096B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0096B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009342DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2133850199.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2134126493.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2584, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2133850199.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2134126493.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2584, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_009B1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_009B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://profiler.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.253.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.184.238	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.206	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.3331774996.00000203D78C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3332486080.0000019EE8BC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2327395123.000002167CFEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2290390574.0000021686D89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311335700.0000021686D89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296270972.000002167D2CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D89000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2133258990.0000021683534000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2134901293.000002168352E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3333558594.0000013E7E6CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3331774996.00000203D78E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3337360804.0000019EE8E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3331774996.00000203D7886000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3332486080.0000019EE8B8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2327933193.000002167CE29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2138496956.000002167C267000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2137449176.000002167DCA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2221958699.0000021683335000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2306660249.00000216795B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2283781894.000002167E1C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280346932.00000216859AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311629303.00000216859FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223446800.00000216859AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2116650803.000002167B600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117583702.000002167B88A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117429343.000002167B86F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117050179.000002167B838000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2116857703.000002167B81D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117222146.000002167B853000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2304023885.000002167C1DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304023885.000002167C1A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300862319.000002167D5C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303548547.000002167C4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273322123.000002167D5C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2328884251.000002167C4DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2290390574.0000021686D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171931848.0000021686D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311555909.0000021686D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217750804.0000021686D11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2267284541.00000216833E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225104357.00000216833DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221958699.00000216833DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176246974.00000216833DA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2221958699.00000216833A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176246974.00000216833A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282828354.00000216833A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225104357.00000216833A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2291465936.000002168387B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2306444254.0000021679A79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2299833583.000002167EE6D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2116650803.000002167B600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117429343.000002167B86F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117050179.000002167B838000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2116857703.000002167B81D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117222146.000002167B853000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2269122782.000002167EE71000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2327933193.000002167CE29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2323526564.00000216853AC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2222863453.00000216874C0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2306660249.000002167957A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/0S	firefox.exe, 0000000E.00000003.2284580889.0000001DB6504000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 00000011.00000002.3331774996.00000203D7803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3332486080.0000019EE8B0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2155711114.000002167BF7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2156807830.000002167BF9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2156840764.000002167BFAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2291465936.0000021683882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2280622229.000002168539E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2323572814.00000216853A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312088697.000002168539E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.3331774996.00000203D78C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3332486080.0000019EE8BC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2156807830.000002167BF9A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2312181513.0000021685360000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2304023885.000002167C1DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300862319.000002167D5C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273322123.000002167D5C6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2283781894.000002167E1C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2171931848.0000021686DAA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3333558594.0000013E7E6CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3331774996.00000203D78E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3337360804.0000019EE8E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3333558594.0000013E7E6CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3331774996.00000203D78E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3337360804.0000019EE8E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2308796352.0000021687464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176246974.000002168338E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3331774996.00000203D7803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3332486080.0000019EE8B0C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3331064744.0000019EE89E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2267284541.00000216833E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225104357.00000216833DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221958699.00000216833DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176246974.00000216833DA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2172750104.00000216838D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312600433.00000216838D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291465936.00000216838D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219567753.00000216838D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2306266647.0000021679AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2156807830.000002167BF9A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2147653013.000002167D1D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342098377.000002167BBFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293869326.00000216833DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2134142449.00000216835E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278527744.0000021683E57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270136213.000002167EE20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272728063.000002167DBCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225104357.00000216833DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243404565.00000216835DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2228439546.000002167D4F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136897402.00000216834EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291161237.0000021683E2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221958699.0000021683335000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287769688.000002167D1CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288640821.000002167B952000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2150635488.00000216835DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269122782.000002167EE52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124398838.000002167C842000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176246974.00000216833A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2125647332.000002167BBF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2305256673.000002167B799000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2299833583.000002167EE6D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.digiF1	firefox.exe, 0000000E.00000003.2210735090.0000021678A45000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213224625.0000021678A45000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178704945.0000021678A66000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179579457.0000021678A66000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2165908149.0000021678A66000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.2219567753.00000216838CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172750104.00000216838CE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2299833583.000002167EE6D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2324906437.0000021683432000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221488923.0000021683432000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2224920602.00000216834EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136897402.00000216834EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2175849037.00000216834EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220904658.00000216834EF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2224920602.00000216834EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136897402.00000216834EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2175849037.00000216834EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220904658.00000216834EF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2172750104.00000216838D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312600433.00000216838D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291465936.00000216838D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219567753.00000216838D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2134901293.000002168352E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2221958699.00000216833A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176246974.00000216833A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282828354.00000216833A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225104357.00000216833A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2138496956.000002167C267000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2221958699.00000216833A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176246974.00000216833A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282828354.00000216833A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225104357.00000216833A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2175849037.0000021683459000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2306266647.0000021679AC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2156807830.000002167BF9A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2327603612.000002167CF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302585616.000002167CF47000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3332782266.0000013E7E500000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3336639385.00000203D7EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3336967039.0000019EE8D20000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2325011402.000002167E2CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316729188.000002167E2CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.184.238	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542041
Start date and time:	2024-10-25 13:49:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@65/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.13.186.250, 44.231.229.39, 34.208.54.237, 142.250.186.74, 142.250.186.106, 216.58.206.46, 2.22.61.56, 2.22.61.59
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
07:50:08	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.201.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://ljptn9jl729v.jp.larksuite.com/share/base/form/shrjpAd28kd9HXI7TjO1wFqS7Pf	Get hash	malicious	Unknown	Browse	151.101.65.195
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	ES Ny kontraktsrunda.msg	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fonedrive.live.com%2Fredir%3Fresid%3DA2C259BD24DEB977%25211517%26authkey%3D%2521AMV6sdjMIZf95vs%26page%3DView%26wd%3Dtarget%2528Quick%2520Notes.one%257C8266a05f-045a-4cc0-bddc-4debc90069bb%252FNotera%2520H6TYD9J4rDFDFECZC-HUYW%257Ca949d04d-b4e2-4509-b99f-d04546199b7b%252F%2529%26wdorigin%3DNavigationUrl&id=71de&rcpt=johan.brandt@skolverket.se&tss=1729830791&msgid=2d0ccdeb-928a-11ef-8a2e-0050569b0508&html=1&h=008c08c0	Get hash	malicious	Unknown	Browse	151.101.130.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
ATGS-MMD-ASUS	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	34.10.190.7
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	33.10.198.51
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	56.136.168.56
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	51.220.251.61
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	48.73.86.243
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	152.159.125.152
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	192.56.124.49
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.98.58.36

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_6717216f-15e1-441b-b447-0b872ed68b3e.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182183089126054
Encrypted:	false
SSDEEP:	192:pWKMX/LccbhbVbTbfbRbObtbyEl7nOo1lOr2JA6wnSrDtTkd/SdC:pWPocNhnzFSJIr1jnSrDhkd/1
MD5:	1B216E1EAB1AF4CE944DA552B6FE622E
SHA1:	15C5200BC188A1FF9890A669A90D982DA6FB0214
SHA-256:	A39FAA5E46833982A97EE630FCB5C9A7A48DF8A9CAE3EFAFDF256A327EEEF12C
SHA-512:	792335E767668799C4DFFC147D05F9AFAF446C74A2910D30EC8E8C4A006761FEAF040D9EB5E8DE8DCFC3718199647B4EA904635E2B3A415E7D5A3E7216FD3B07
Malicious:	false
Preview:	{"type":"uninstall","id":"6717216f-15e1-441b-b447-0b872ed68b3e","creationDate":"2024-10-25T12:53:43.238Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_6717216f-15e1-441b-b447-0b872ed68b3e.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182183089126054
Encrypted:	false
SSDEEP:	192:pWKMX/LccbhbVbTbfbRbObtbyEl7nOo1lOr2JA6wnSrDtTkd/SdC:pWPocNhnzFSJIr1jnSrDhkd/1
MD5:	1B216E1EAB1AF4CE944DA552B6FE622E
SHA1:	15C5200BC188A1FF9890A669A90D982DA6FB0214
SHA-256:	A39FAA5E46833982A97EE630FCB5C9A7A48DF8A9CAE3EFAFDF256A327EEEF12C
SHA-512:	792335E767668799C4DFFC147D05F9AFAF446C74A2910D30EC8E8C4A006761FEAF040D9EB5E8DE8DCFC3718199647B4EA904635E2B3A415E7D5A3E7216FD3B07
Malicious:	false
Preview:	{"type":"uninstall","id":"6717216f-15e1-441b-b447-0b872ed68b3e","creationDate":"2024-10-25T12:53:43.238Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927960095429932
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNhBq9ZxE:8S+OVPUFRbOdwNIOdYpjvY1Q6LIsL8P
MD5:	F857191BFE3EAE1E8BB026CE83763C49
SHA1:	50BD7A35DF169F2652535985BBAF0084CC80CF00
SHA-256:	1173D32A1A96EEABD0202B9176907A1946C254373C697A44DFD9F4E0518A415A
SHA-512:	B9029937F052109D50DBDCDB5CEBFA7DF70A4E6DCFDE8BB2705249CF9431768735F5C7B11BDB625354A8EBA7FE8FFD05BDACA8E181F690FB5EAC6DB31E6F91D1
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927960095429932
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNhBq9ZxE:8S+OVPUFRbOdwNIOdYpjvY1Q6LIsL8P
MD5:	F857191BFE3EAE1E8BB026CE83763C49
SHA1:	50BD7A35DF169F2652535985BBAF0084CC80CF00
SHA-256:	1173D32A1A96EEABD0202B9176907A1946C254373C697A44DFD9F4E0518A415A
SHA-512:	B9029937F052109D50DBDCDB5CEBFA7DF70A4E6DCFDE8BB2705249CF9431768735F5C7B11BDB625354A8EBA7FE8FFD05BDACA8E181F690FB5EAC6DB31E6F91D1
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07327381581577863
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki4:DLhesh7Owd4+ji4
MD5:	0F02BB5BE9559A72D1DA201E95847D7F
SHA1:	6589A30DE374066D6F85D65F4D5233C69DF29421
SHA-256:	FCEF66FA09A4A8ACCE5919EC519794420CFBBD8128D6FE0B14E71FCEF3083157
SHA-512:	4CEB5641226613D01A5AB9199DD75EF3C9B8F2D8733D091B97A102BDD5DC19725C1DD601C69D28CA35962566AD257268462D868A00B2E9F112E52166B6AF48D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03438274924279078
Encrypted:	false
SSDEEP:	3:GtlstFodsahfM8ZoPlstFodsahfM8B/l/T89//alEl:GtWtqphkVWtqphkux89XuM
MD5:	9645AFC84B4CF4545A5A78E395CCE689
SHA1:	03FEB62614582BCA373ABF9D66B636745DA61AA7
SHA-256:	E49F9C166601BE1B7BCC89BD80F7D4A1EADC1511F13DE3DC61E99F2D43DFB6B1
SHA-512:	DC059C1B0B78F2C28F18A71D8E3F996CEE7E8C4443C631813C7E905827FE3EAFA71B8626CE5F485C5BEB94CF6F2C29C9673C4B1498D0BDC720371CEA77B0C75E
Malicious:	false
Preview:	..-.....................?.........[i.R.:O.R%...~..-.....................?.........[i.R.:O.R%...~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03910487318740858
Encrypted:	false
SSDEEP:	3:Ol1I3/JEsa/fhf6lYxIl8rEXsxdwhml8XW3R2:KsOhR9Il8dMhm93w
MD5:	263B1B81D2FFECB2CEE00EB5D6C500D3
SHA1:	653A2564AD30E870CEA7695EBB8B7C25AB7C43DB
SHA-256:	D02ACF7DCAAE4C5888A7AF95173B104444D08D0675E4A0566B5020BDEC3A32F7
SHA-512:	E9ED80AB89AFF5F1F4DF4E9D0B6AE7BA5C8AC9D0E5EDF00FEA42669D20CD34E5CFCE07A96A7F81F40F36BB457C2E0D655AD1AE7847F2DD9AA774964909BAA2B0
Malicious:	false
Preview:	7....-............[i.R.:?"..2u6^..........[i.R.:...?....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.478526700172053
Encrypted:	false
SSDEEP:	192:tsf1ohcyAnPOeRnLYbBp6jJ0aX+oa6SEXK+zKPSUNB25RHWNBw8d2Sl:iDeuJUUu5wHEwV0
MD5:	ACB89F9A4AEA745FDF2071BECCB80CB0
SHA1:	EDC14E609CF4051F98641EB51380EC6F175FD805
SHA-256:	804E91D95A3A7EB4322498D23B38EB2DCE63E898B01201DDDEC45C48A3DAA25D
SHA-512:	79DE9F17FC1B544856B47755DCD56B5D33839967CB58E719EB4FB45A2B40F9405A5F8B25CE9121D098CAEC1A3A9F5E1A54C2CB0DEE6294F13A0F4A089ABF76BD
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729860792);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729860792);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729860792);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172986

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.478526700172053
Encrypted:	false
SSDEEP:	192:tsf1ohcyAnPOeRnLYbBp6jJ0aX+oa6SEXK+zKPSUNB25RHWNBw8d2Sl:iDeuJUUu5wHEwV0
MD5:	ACB89F9A4AEA745FDF2071BECCB80CB0
SHA1:	EDC14E609CF4051F98641EB51380EC6F175FD805
SHA-256:	804E91D95A3A7EB4322498D23B38EB2DCE63E898B01201DDDEC45C48A3DAA25D
SHA-512:	79DE9F17FC1B544856B47755DCD56B5D33839967CB58E719EB4FB45A2B40F9405A5F8B25CE9121D098CAEC1A3A9F5E1A54C2CB0DEE6294F13A0F4A089ABF76BD
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729860792);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729860792);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729860792);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172986

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.34438730042615
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSOXLXnIrWi/pnxQwRcrT5sKmgb0s3eHVpjO+DamhujJwO2c0TiVm0D:GUpOxpXl6nRchegz3erjxD4Jwc3zBtT
MD5:	6590B26F1BFA5630A70EC95C498E8CD9
SHA1:	6CFB73B343587A2F4D70BA1CB48B452120EEA1BB
SHA-256:	B4B65340CFC44E507467EC69C6ADC3015A17004E4A813201B884FB20F5E378AD
SHA-512:	C6E296087EE0064C880A8E039982C4AFF124EAF5AFEA99BA3155F9D20A155873AA9DD068DCBFC852A603320EE0153B8A408A6A014EA2ED9045117DE2B72D2E27
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{87bca2c0-2a6a-459c-a513-199fa939a293}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729860796854,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..P62442...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...66335,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.34438730042615
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSOXLXnIrWi/pnxQwRcrT5sKmgb0s3eHVpjO+DamhujJwO2c0TiVm0D:GUpOxpXl6nRchegz3erjxD4Jwc3zBtT
MD5:	6590B26F1BFA5630A70EC95C498E8CD9
SHA1:	6CFB73B343587A2F4D70BA1CB48B452120EEA1BB
SHA-256:	B4B65340CFC44E507467EC69C6ADC3015A17004E4A813201B884FB20F5E378AD
SHA-512:	C6E296087EE0064C880A8E039982C4AFF124EAF5AFEA99BA3155F9D20A155873AA9DD068DCBFC852A603320EE0153B8A408A6A014EA2ED9045117DE2B72D2E27
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{87bca2c0-2a6a-459c-a513-199fa939a293}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729860796854,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..P62442...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...66335,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.34438730042615
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSOXLXnIrWi/pnxQwRcrT5sKmgb0s3eHVpjO+DamhujJwO2c0TiVm0D:GUpOxpXl6nRchegz3erjxD4Jwc3zBtT
MD5:	6590B26F1BFA5630A70EC95C498E8CD9
SHA1:	6CFB73B343587A2F4D70BA1CB48B452120EEA1BB
SHA-256:	B4B65340CFC44E507467EC69C6ADC3015A17004E4A813201B884FB20F5E378AD
SHA-512:	C6E296087EE0064C880A8E039982C4AFF124EAF5AFEA99BA3155F9D20A155873AA9DD068DCBFC852A603320EE0153B8A408A6A014EA2ED9045117DE2B72D2E27
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{87bca2c0-2a6a-459c-a513-199fa939a293}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729860796854,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..P62442...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...66335,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.03103458877268
Encrypted:	false
SSDEEP:	96:ycOMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:lTEr5NX0z3DhRe
MD5:	88804E7F760C5D104A85B98088C2261D
SHA1:	47910915088AD11CED868DB13A3FC8ECCC48305E
SHA-256:	FE9E62CEBA13CADB4FE04BCFBEE780E1F18BD61CB6F2C40F117600DD01B204C1
SHA-512:	450A971384601C391D58CF903392A2593224AD5D1D1A1192AE83811E19CCE30FA4D845FDD67FDBE548275CA819B0879A4EA35E96CDACA03BC2A4A6A15EDFBA3D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T12:52:58.576Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.03103458877268
Encrypted:	false
SSDEEP:	96:ycOMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:lTEr5NX0z3DhRe
MD5:	88804E7F760C5D104A85B98088C2261D
SHA1:	47910915088AD11CED868DB13A3FC8ECCC48305E
SHA-256:	FE9E62CEBA13CADB4FE04BCFBEE780E1F18BD61CB6F2C40F117600DD01B204C1
SHA-512:	450A971384601C391D58CF903392A2593224AD5D1D1A1192AE83811E19CCE30FA4D845FDD67FDBE548275CA819B0879A4EA35E96CDACA03BC2A4A6A15EDFBA3D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T12:52:58.576Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584686941340503
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	e2e50901ca2c794cb21bc264f810225d
SHA1:	e979f4725058a44c870160dfe8f0d819b39ab676
SHA256:	173da04353e5305908e799c0f66b6697ce67ec67d80313677130386ec6c78aed
SHA512:	05d16aafcdff37e0e3599c4d49eac972fd902ab74f8e27d744f73893f511e6afcdcfa06d318bfc1ad6279ca0d636a5b2497f5994b146442d8509867db22d2316
SSDEEP:	12288:mqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Td:mqDEvCTbMWu7rQYlBQcBiT6rprG8abd
TLSH:	10159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671B818D [Fri Oct 25 11:31:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FED78FAB7F3h
jmp 00007FED78FAB0FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FED78FAB2DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FED78FAB2AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FED78FADE9Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FED78FADEE8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FED78FADED1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	189f4da612e4aa0e5ddb8611b77b3119	False	0.31561511075949367	data	5.37360735696137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 13:50:06.310271978 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:06.310322046 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:06.319617033 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:06.327028036 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:06.327055931 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:06.881633997 CEST	49713	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:06.881685019 CEST	443	49713	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:06.882623911 CEST	49713	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:06.883513927 CEST	49713	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:06.883527994 CEST	443	49713	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:06.935739040 CEST	49714	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:06.935791016 CEST	443	49714	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:06.938838005 CEST	49714	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:06.940304041 CEST	49714	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:06.940323114 CEST	443	49714	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:06.941792011 CEST	49715	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:06.943099976 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:06.943120003 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:06.946940899 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:06.947350025 CEST	80	49715	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:06.954374075 CEST	49715	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:06.954994917 CEST	49715	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:06.957282066 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:06.957333088 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:06.957401037 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:06.957945108 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:06.958764076 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:06.960472107 CEST	80	49715	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:07.262969017 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.263057947 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:07.264731884 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.266287088 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.266371012 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:07.450802088 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.450824976 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:07.451670885 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.453003883 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.453016996 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:07.453598022 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:07.453608990 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:07.454068899 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:07.454186916 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:07.454193115 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:07.560718060 CEST	80	49715	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:07.572928905 CEST	49719	443	192.168.2.5	34.160.144.191
Oct 25, 2024 13:50:07.573010921 CEST	443	49719	34.160.144.191	192.168.2.5
Oct 25, 2024 13:50:07.573930979 CEST	49719	443	192.168.2.5	34.160.144.191
Oct 25, 2024 13:50:07.574059010 CEST	49719	443	192.168.2.5	34.160.144.191
Oct 25, 2024 13:50:07.574079037 CEST	443	49719	34.160.144.191	192.168.2.5
Oct 25, 2024 13:50:07.625087023 CEST	49715	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:07.705162048 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:07.710450888 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:07.710556030 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:07.710675001 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:07.715917110 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:07.814034939 CEST	443	49714	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:07.814199924 CEST	49714	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.815546989 CEST	443	49714	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:07.816137075 CEST	49714	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.819076061 CEST	49714	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.819084883 CEST	443	49714	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:07.819174051 CEST	49714	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.819749117 CEST	443	49714	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:07.819997072 CEST	49714	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.887804031 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:07.888175964 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.892518044 CEST	443	49713	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:07.893527985 CEST	443	49713	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:07.899785995 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.899816990 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:07.899914980 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.900207996 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:07.900389910 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.900438070 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:07.903361082 CEST	443	49713	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:07.904789925 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.904795885 CEST	49713	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.906189919 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.908845901 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:07.908865929 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:07.911047935 CEST	49713	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.911072016 CEST	443	49713	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:07.911143064 CEST	49713	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.911356926 CEST	443	49713	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:07.911490917 CEST	49722	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.911575079 CEST	443	49722	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:07.911667109 CEST	49713	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.911715031 CEST	49722	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.912985086 CEST	49722	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:07.913017035 CEST	443	49722	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:08.077531099 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:08.078165054 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:08.080498934 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:08.086352110 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:08.132793903 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:08.132816076 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:08.133707047 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:08.175380945 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:08.175390005 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:08.175493956 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:08.175667048 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:08.175899982 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:08.176009893 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:08.178457022 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:08.178522110 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:08.179042101 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:08.180553913 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:08.180593014 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:08.180943012 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:08.181895971 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:08.181936026 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:08.189049959 CEST	443	49719	34.160.144.191	192.168.2.5
Oct 25, 2024 13:50:08.189227104 CEST	49719	443	192.168.2.5	34.160.144.191
Oct 25, 2024 13:50:08.191654921 CEST	49719	443	192.168.2.5	34.160.144.191
Oct 25, 2024 13:50:08.191682100 CEST	443	49719	34.160.144.191	192.168.2.5
Oct 25, 2024 13:50:08.192090034 CEST	443	49719	34.160.144.191	192.168.2.5
Oct 25, 2024 13:50:08.194181919 CEST	49719	443	192.168.2.5	34.160.144.191
Oct 25, 2024 13:50:08.194251060 CEST	49719	443	192.168.2.5	34.160.144.191
Oct 25, 2024 13:50:08.194370985 CEST	443	49719	34.160.144.191	192.168.2.5
Oct 25, 2024 13:50:08.198585987 CEST	49719	443	192.168.2.5	34.160.144.191
Oct 25, 2024 13:50:08.201561928 CEST	49715	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:08.207252026 CEST	80	49715	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:08.207480907 CEST	49715	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:08.249622107 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:08.255876064 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:08.256370068 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:08.256567955 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:08.262550116 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:08.306524038 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:08.306759119 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:08.312460899 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:08.312521935 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:08.525116920 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:08.525279999 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:08.529967070 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:08.529993057 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:08.530039072 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:08.530447960 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:08.534210920 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:09.801433086 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:09.802716970 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:09.802783012 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:09.802937031 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:09.803320885 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:09.803347111 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:09.803347111 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:09.805804014 CEST	443	49722	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:09.806819916 CEST	443	49722	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:09.807890892 CEST	49722	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:09.807951927 CEST	443	49722	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:09.812872887 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:09.812947035 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:09.831190109 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:09.832597971 CEST	49722	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:09.832657099 CEST	443	49722	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:09.832782984 CEST	49722	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:09.832906961 CEST	443	49722	142.250.184.238	192.168.2.5
Oct 25, 2024 13:50:09.833154917 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:09.833178043 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:09.833265066 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:09.835556030 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:09.836699963 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:09.838295937 CEST	49722	443	192.168.2.5	142.250.184.238
Oct 25, 2024 13:50:09.838308096 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:09.838375092 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:09.838479042 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:09.843360901 CEST	49727	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:09.843446016 CEST	443	49727	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:09.844161987 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:09.844961882 CEST	49727	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:09.846260071 CEST	49727	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:09.846309900 CEST	443	49727	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:09.850771904 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:09.856162071 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:09.881052971 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:09.881135941 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:09.881489038 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:09.881598949 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:09.881629944 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:09.883898973 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:09.883944988 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:09.884162903 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:09.885565042 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:09.885585070 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:09.887365103 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:09.887423992 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:09.887525082 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:09.888875008 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:09.888902903 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:09.976145029 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:10.043333054 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:10.457397938 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:10.476826906 CEST	443	49727	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:10.477042913 CEST	49727	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:10.496016026 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:10.503375053 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:10.506762981 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:10.507466078 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:10.509413958 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:10.515342951 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:10.515343904 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:10.520394087 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:10.520430088 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:10.520793915 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:10.520802975 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:10.522219896 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:10.694956064 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:10.694988012 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:10.696068048 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:10.708220005 CEST	49727	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:10.708244085 CEST	443	49727	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:10.708350897 CEST	49727	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:10.708589077 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:10.708753109 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:10.708935022 CEST	443	49727	34.117.188.166	192.168.2.5
Oct 25, 2024 13:50:10.710130930 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:10.710935116 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:10.710935116 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:10.710947037 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:10.711136103 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:10.711136103 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:10.711164951 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:10.711358070 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:10.711385965 CEST	49727	443	192.168.2.5	34.117.188.166
Oct 25, 2024 13:50:10.711401939 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:10.711898088 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:10.712053061 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:10.712471008 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:10.712565899 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:13.734338999 CEST	49734	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:13.734368086 CEST	443	49734	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:13.736785889 CEST	49734	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:13.738137960 CEST	49734	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:13.738164902 CEST	443	49734	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:13.795726061 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:13.801243067 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:13.855729103 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:13.858716965 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:13.858741045 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:13.858982086 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:13.859024048 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:13.859846115 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:13.859927893 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:13.860063076 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:13.860075951 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:13.860156059 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:13.860177040 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:13.861977100 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:13.867292881 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:13.867328882 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:13.867400885 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:13.868769884 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:13.868784904 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:13.925431967 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:13.982217073 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:13.982439041 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:13.986176014 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:13.991647959 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:14.029081106 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:14.116405964 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:14.182931900 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:14.358841896 CEST	443	49734	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:14.361047983 CEST	49734	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:14.380703926 CEST	49734	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:14.380716085 CEST	443	49734	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:14.380804062 CEST	49734	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:14.381125927 CEST	443	49734	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:14.383405924 CEST	49734	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:14.384717941 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:14.390230894 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:14.465248108 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.468470097 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.470812082 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.471848965 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.471858978 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.472062111 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.472368956 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.475351095 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.475383997 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.475857019 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.477047920 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.477122068 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.510560989 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:14.514974117 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.515800953 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:14.516223907 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.516236067 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.516350031 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.516449928 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.516470909 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.516540051 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.517088890 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.517191887 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.517278910 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.517312050 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.518249989 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.518268108 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.518275976 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.521426916 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:14.521487951 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:14.523694038 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.523706913 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.523809910 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.525099993 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:14.525113106 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:14.526866913 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:14.645785093 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:14.647239923 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:14.650608063 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:14.656119108 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:14.699906111 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:14.780311108 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:14.835247040 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:15.142486095 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:15.147329092 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:15.156879902 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:15.890767097 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:15.890794992 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:15.890923023 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:15.891103983 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 13:50:15.894586086 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:50:20.249420881 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:20.254734039 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:20.374982119 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:20.427335978 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:21.212132931 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:21.217544079 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:21.341784954 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:21.397661924 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:21.558485031 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:21.558523893 CEST	443	49773	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:21.559587955 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:22.010152102 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:22.010171890 CEST	443	49773	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:22.095398903 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:22.101006985 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:22.226052999 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:22.284646034 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:22.291663885 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:22.297074080 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:22.421153069 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:22.463067055 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:23.564585924 CEST	443	49773	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:23.566328049 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:23.573122978 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:23.573133945 CEST	443	49773	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:23.573287964 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:23.573307037 CEST	443	49773	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:23.578269005 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:24.344928980 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:24.350292921 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:24.470278025 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:24.522567034 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:25.424180031 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:25.429490089 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:25.554053068 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:25.594177008 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:34.481952906 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:34.487343073 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:34.759403944 CEST	49839	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:34.759445906 CEST	443	49839	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:34.759582996 CEST	49839	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:34.760974884 CEST	49839	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:34.760994911 CEST	443	49839	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:35.073905945 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.073936939 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.079515934 CEST	49842	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:35.079576969 CEST	443	49842	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:35.083857059 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.083865881 CEST	49842	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:35.084233999 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.084254026 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.085669041 CEST	49842	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:35.085695028 CEST	443	49842	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:35.089725971 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.089750051 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:35.090141058 CEST	49844	443	192.168.2.5	151.101.129.91
Oct 25, 2024 13:50:35.090183020 CEST	443	49844	151.101.129.91	192.168.2.5
Oct 25, 2024 13:50:35.093585014 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.093642950 CEST	49844	443	192.168.2.5	151.101.129.91
Oct 25, 2024 13:50:35.093866110 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.093888044 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:35.093961954 CEST	49844	443	192.168.2.5	151.101.129.91
Oct 25, 2024 13:50:35.093980074 CEST	443	49844	151.101.129.91	192.168.2.5
Oct 25, 2024 13:50:35.094909906 CEST	49845	443	192.168.2.5	35.201.103.21
Oct 25, 2024 13:50:35.094944000 CEST	443	49845	35.201.103.21	192.168.2.5
Oct 25, 2024 13:50:35.099374056 CEST	49845	443	192.168.2.5	35.201.103.21
Oct 25, 2024 13:50:35.101094007 CEST	49845	443	192.168.2.5	35.201.103.21
Oct 25, 2024 13:50:35.101109982 CEST	443	49845	35.201.103.21	192.168.2.5
Oct 25, 2024 13:50:35.374514103 CEST	443	49839	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:35.374654055 CEST	49839	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:35.379842997 CEST	49839	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:35.379864931 CEST	443	49839	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:35.379947901 CEST	49839	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:35.380115986 CEST	443	49839	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:35.380705118 CEST	49839	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:35.382935047 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:35.389442921 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:35.509874105 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:35.512813091 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:35.518388033 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:35.553867102 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:35.643007040 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:35.685436964 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:35.707767010 CEST	443	49842	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:35.707866907 CEST	49842	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:35.709180117 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.709197998 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.709270954 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.712601900 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.712608099 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.713046074 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.715657949 CEST	49842	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:35.715694904 CEST	443	49842	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:35.715751886 CEST	49842	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:35.715790987 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:35.715867043 CEST	443	49842	35.190.72.216	192.168.2.5
Oct 25, 2024 13:50:35.715960026 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.716006041 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.716183901 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.716192007 CEST	49842	443	192.168.2.5	35.190.72.216
Oct 25, 2024 13:50:35.716236115 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.718743086 CEST	443	49844	151.101.129.91	192.168.2.5
Oct 25, 2024 13:50:35.718976974 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.719011068 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:35.720021963 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:35.720088959 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:35.721004963 CEST	443	49845	35.201.103.21	192.168.2.5
Oct 25, 2024 13:50:35.721267939 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.721365929 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.721465111 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:35.721688032 CEST	49850	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.721709967 CEST	443	49850	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:35.721759081 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.721798897 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.721798897 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.721824884 CEST	49844	443	192.168.2.5	151.101.129.91
Oct 25, 2024 13:50:35.722095966 CEST	49845	443	192.168.2.5	35.201.103.21
Oct 25, 2024 13:50:35.722095966 CEST	49850	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.725044012 CEST	49844	443	192.168.2.5	151.101.129.91
Oct 25, 2024 13:50:35.725056887 CEST	443	49844	151.101.129.91	192.168.2.5
Oct 25, 2024 13:50:35.725414038 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:35.725455046 CEST	443	49844	151.101.129.91	192.168.2.5
Oct 25, 2024 13:50:35.726994991 CEST	49850	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.727006912 CEST	443	49850	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:35.728935957 CEST	49844	443	192.168.2.5	151.101.129.91
Oct 25, 2024 13:50:35.729084969 CEST	49844	443	192.168.2.5	151.101.129.91
Oct 25, 2024 13:50:35.729170084 CEST	443	49844	151.101.129.91	192.168.2.5
Oct 25, 2024 13:50:35.729434013 CEST	49845	443	192.168.2.5	35.201.103.21
Oct 25, 2024 13:50:35.729438066 CEST	443	49845	35.201.103.21	192.168.2.5
Oct 25, 2024 13:50:35.729482889 CEST	49845	443	192.168.2.5	35.201.103.21
Oct 25, 2024 13:50:35.729713917 CEST	443	49845	35.201.103.21	192.168.2.5
Oct 25, 2024 13:50:35.737935066 CEST	49851	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.737972021 CEST	443	49851	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.738133907 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.738162041 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.738224030 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.738251925 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.738292933 CEST	49844	443	192.168.2.5	151.101.129.91
Oct 25, 2024 13:50:35.738301039 CEST	49845	443	192.168.2.5	35.201.103.21
Oct 25, 2024 13:50:35.738348007 CEST	49851	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.738399982 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.738404989 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.738461971 CEST	49851	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.738480091 CEST	443	49851	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.738564014 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.738580942 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.738629103 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:35.738640070 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:35.746885061 CEST	49854	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.746949911 CEST	443	49854	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:35.747334003 CEST	49854	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.747457981 CEST	49854	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:35.747481108 CEST	443	49854	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:35.845868111 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:35.850311041 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:35.855813980 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:35.901627064 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:35.980700970 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:36.024060965 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:36.351573944 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.351659060 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.352636099 CEST	443	49850	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:36.352730036 CEST	49850	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:36.352900028 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.352956057 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.354223013 CEST	443	49851	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.354402065 CEST	49851	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.354491949 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.354510069 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.355021954 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.357594013 CEST	49850	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:36.357599020 CEST	443	49850	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:36.357943058 CEST	443	49850	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:36.360034943 CEST	49851	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.360059977 CEST	443	49851	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.360421896 CEST	443	49851	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.362191916 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.362205029 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.362574100 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.366952896 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.367141008 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.367254972 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.367266893 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.367335081 CEST	49850	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:36.367399931 CEST	49850	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:36.367513895 CEST	443	49850	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:36.367646933 CEST	49851	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.367685080 CEST	49851	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.367974043 CEST	443	49851	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.367991924 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.368068933 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.368403912 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 25, 2024 13:50:36.370071888 CEST	49850	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:36.370088100 CEST	49851	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.370095968 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.370105982 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 25, 2024 13:50:36.370548964 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:36.375960112 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:36.392461061 CEST	443	49854	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:36.392549992 CEST	49854	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:36.395860910 CEST	49854	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:36.395876884 CEST	443	49854	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:36.396208048 CEST	443	49854	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:36.398710012 CEST	49854	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:36.398792028 CEST	49854	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:36.398870945 CEST	443	49854	34.149.100.209	192.168.2.5
Oct 25, 2024 13:50:36.399530888 CEST	49854	443	192.168.2.5	34.149.100.209
Oct 25, 2024 13:50:36.497056961 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:36.500180960 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:36.505706072 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:36.541151047 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:36.630074024 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:36.672676086 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:46.501219034 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:46.506623983 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:46.632910967 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:46.638508081 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:55.393414974 CEST	49956	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:55.393465042 CEST	443	49956	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:55.393932104 CEST	49956	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:55.396140099 CEST	49956	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:55.396178007 CEST	443	49956	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:56.014121056 CEST	443	49956	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:56.014230967 CEST	49956	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:56.018661976 CEST	49956	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:56.018668890 CEST	443	49956	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:56.018750906 CEST	49956	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:56.018863916 CEST	443	49956	34.107.243.93	192.168.2.5
Oct 25, 2024 13:50:56.019599915 CEST	49956	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:50:56.021764040 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:56.027087927 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:56.147711992 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:56.164285898 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:56.169647932 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:56.213587999 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:50:56.294116974 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:50:56.345155001 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:05.803107023 CEST	50012	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:05.803196907 CEST	443	50012	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:05.807977915 CEST	50013	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:05.808072090 CEST	443	50013	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:05.809653997 CEST	50012	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:05.809699059 CEST	50013	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:05.809895992 CEST	50012	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:05.809932947 CEST	443	50012	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:05.810185909 CEST	50013	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:05.810223103 CEST	443	50013	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:06.174088955 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:06.179702997 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:06.312357903 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:06.320457935 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:06.422756910 CEST	443	50012	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:06.422797918 CEST	443	50012	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:06.423006058 CEST	50012	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.427154064 CEST	50012	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.427160978 CEST	443	50012	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:06.427498102 CEST	443	50012	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:06.430490017 CEST	50012	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.430584908 CEST	50012	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.430680037 CEST	443	50012	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:06.431022882 CEST	50012	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.439904928 CEST	443	50013	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:06.441658974 CEST	50013	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.446011066 CEST	50013	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.446048975 CEST	443	50013	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:06.446475029 CEST	443	50013	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:06.449162960 CEST	50013	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.449271917 CEST	50013	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.449357033 CEST	443	50013	34.120.208.123	192.168.2.5
Oct 25, 2024 13:51:06.449781895 CEST	50013	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.449820042 CEST	50013	443	192.168.2.5	34.120.208.123
Oct 25, 2024 13:51:06.462945938 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:06.468408108 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:06.588743925 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:06.616822958 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:06.622755051 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:06.628681898 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:06.747021914 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:06.791508913 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:16.589399099 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:16.595326900 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:16.758860111 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:16.764456034 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:26.603071928 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:26.608593941 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:26.772568941 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:26.778275013 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:36.617203951 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:36.686266899 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:36.780163050 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:36.786052942 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:37.147624016 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:51:37.147711992 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 25, 2024 13:51:37.147979975 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:51:37.149086952 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:51:37.149141073 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 25, 2024 13:51:37.766067982 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 25, 2024 13:51:37.766467094 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:51:37.772703886 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:51:37.772778034 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 25, 2024 13:51:37.772871017 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:51:37.773323059 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 25, 2024 13:51:37.773407936 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 25, 2024 13:51:37.775737047 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:37.781194925 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:37.901633024 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:37.905648947 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:37.911134958 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:37.952482939 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:38.036195040 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:38.084064007 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:47.912158012 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:47.918226957 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:48.050246954 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:48.056256056 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:57.924854040 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:57.930802107 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:51:58.063083887 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:51:58.070050955 CEST	80	49726	34.107.221.82	192.168.2.5
Oct 25, 2024 13:52:07.952101946 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:52:07.957736015 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 25, 2024 13:52:08.083865881 CEST	49726	80	192.168.2.5	34.107.221.82
Oct 25, 2024 13:52:08.090137005 CEST	80	49726	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 13:50:06.310873032 CEST	63126	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:06.319372892 CEST	53	63126	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:06.324073076 CEST	53308	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:06.331758976 CEST	53	53308	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:06.873203993 CEST	62738	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:06.877480030 CEST	57182	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:06.880702019 CEST	53	62738	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:06.881807089 CEST	60516	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:06.889141083 CEST	53	60516	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:06.890762091 CEST	60442	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:06.893933058 CEST	58176	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:06.898547888 CEST	53	60442	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:06.901451111 CEST	53	58176	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:06.906371117 CEST	52243	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:06.914263010 CEST	53	52243	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.254342079 CEST	49926	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.261715889 CEST	53	49926	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.263309002 CEST	61331	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.271286964 CEST	53	61331	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.272697926 CEST	56927	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.280538082 CEST	53	56927	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.442293882 CEST	62851	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.449959993 CEST	53	62851	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.451533079 CEST	62092	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.453989983 CEST	57204	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.459182978 CEST	53	62092	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.471954107 CEST	63508	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.479475975 CEST	53	63508	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.486589909 CEST	53	57204	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.487217903 CEST	62915	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.495501995 CEST	53	62915	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.556315899 CEST	62988	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.563862085 CEST	53	62988	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.573239088 CEST	51942	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.581433058 CEST	53	51942	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.582103014 CEST	53741	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.590512991 CEST	53	53741	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.668591022 CEST	50673	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.669156075 CEST	64808	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:07.676568985 CEST	53	64808	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.676959038 CEST	53	50673	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:07.695667982 CEST	59291	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:08.928172112 CEST	56615	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:09.044213057 CEST	60901	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:09.479662895 CEST	59181	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:09.803798914 CEST	53	59181	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:09.803956985 CEST	53	60901	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:09.873795033 CEST	53	53633	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:09.884088993 CEST	51882	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:09.886641979 CEST	56876	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:09.887454987 CEST	59369	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:09.891437054 CEST	53	51882	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:09.892530918 CEST	54697	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:09.894198895 CEST	53	56876	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:09.895145893 CEST	53	59369	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:09.895334005 CEST	55093	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:09.896078110 CEST	52312	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:09.901375055 CEST	53	54697	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:09.902559996 CEST	53	55093	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:09.903565884 CEST	53	52312	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:13.794713020 CEST	50662	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:13.802484035 CEST	53	50662	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:13.822278023 CEST	62183	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:13.831094980 CEST	53	62183	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:13.837474108 CEST	61895	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:13.844772100 CEST	53	61895	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:15.891787052 CEST	63701	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:15.892174959 CEST	54029	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:15.892525911 CEST	53732	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:15.899321079 CEST	53	63701	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:15.899735928 CEST	53	54029	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:15.901026964 CEST	53	53732	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.255738020 CEST	50267	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.255738020 CEST	56951	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.255992889 CEST	54696	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.263267994 CEST	53	56951	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.263751030 CEST	53	50267	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.263775110 CEST	53	54696	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.264564037 CEST	62169	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.265186071 CEST	52195	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.265229940 CEST	49314	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.272252083 CEST	53	62169	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.272726059 CEST	53	49314	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.273125887 CEST	53	52195	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.275760889 CEST	62980	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.276544094 CEST	53054	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.283705950 CEST	53	62980	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.284612894 CEST	50248	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.285053015 CEST	53	53054	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.285729885 CEST	61165	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.291981936 CEST	53	50248	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.293035984 CEST	53	61165	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.294101954 CEST	54617	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.294137001 CEST	51700	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:16.301424026 CEST	53	54617	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:16.302196026 CEST	53	51700	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:21.558072090 CEST	51951	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:21.613841057 CEST	53	51951	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:34.760010004 CEST	53209	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:34.769010067 CEST	53	53209	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:35.046212912 CEST	63371	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:35.053406000 CEST	53	63371	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:35.067578077 CEST	54367	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:35.077007055 CEST	53	54367	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:35.082222939 CEST	51973	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:35.090727091 CEST	49657	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:35.091804981 CEST	53	51973	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:35.095453024 CEST	64226	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:35.100214958 CEST	53	49657	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:35.102586031 CEST	58614	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:35.104718924 CEST	53	64226	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:35.105418921 CEST	65050	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:35.110569000 CEST	53	58614	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:35.113523960 CEST	53	65050	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:55.384071112 CEST	59063	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:55.391562939 CEST	53	59063	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:55.392580032 CEST	54051	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:50:55.400291920 CEST	53	54051	1.1.1.1	192.168.2.5
Oct 25, 2024 13:50:56.022059917 CEST	62717	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:51:05.800525904 CEST	62079	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:51:05.808062077 CEST	53	62079	1.1.1.1	192.168.2.5
Oct 25, 2024 13:51:06.463120937 CEST	60923	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:51:37.138166904 CEST	61111	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:51:37.146457911 CEST	53	61111	1.1.1.1	192.168.2.5
Oct 25, 2024 13:51:37.147794008 CEST	51637	53	192.168.2.5	1.1.1.1
Oct 25, 2024 13:51:37.155502081 CEST	53	51637	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 13:50:06.310873032 CEST	192.168.2.5	1.1.1.1	0x80f	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.324073076 CEST	192.168.2.5	1.1.1.1	0x240b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 13:50:06.873203993 CEST	192.168.2.5	1.1.1.1	0x4632	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.877480030 CEST	192.168.2.5	1.1.1.1	0x4fa3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.881807089 CEST	192.168.2.5	1.1.1.1	0xd9f4	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.890762091 CEST	192.168.2.5	1.1.1.1	0xa533	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.893933058 CEST	192.168.2.5	1.1.1.1	0x34dd	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:06.906371117 CEST	192.168.2.5	1.1.1.1	0x2c56	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 13:50:07.254342079 CEST	192.168.2.5	1.1.1.1	0xcb03	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.263309002 CEST	192.168.2.5	1.1.1.1	0x2b47	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.272697926 CEST	192.168.2.5	1.1.1.1	0x5325	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:07.442293882 CEST	192.168.2.5	1.1.1.1	0xa1d5	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.451533079 CEST	192.168.2.5	1.1.1.1	0x89cc	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.453989983 CEST	192.168.2.5	1.1.1.1	0x9ad8	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.471954107 CEST	192.168.2.5	1.1.1.1	0x3dce	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 13:50:07.487217903 CEST	192.168.2.5	1.1.1.1	0x63e4	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 13:50:07.556315899 CEST	192.168.2.5	1.1.1.1	0x6a56	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.573239088 CEST	192.168.2.5	1.1.1.1	0xcac5	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.582103014 CEST	192.168.2.5	1.1.1.1	0xddfb	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 13:50:07.668591022 CEST	192.168.2.5	1.1.1.1	0xa72e	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.669156075 CEST	192.168.2.5	1.1.1.1	0xc8ac	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.695667982 CEST	192.168.2.5	1.1.1.1	0xe96e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:08.928172112 CEST	192.168.2.5	1.1.1.1	0xd3c0	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.044213057 CEST	192.168.2.5	1.1.1.1	0x13dd	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.479662895 CEST	192.168.2.5	1.1.1.1	0xdb13	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.884088993 CEST	192.168.2.5	1.1.1.1	0x1622	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.886641979 CEST	192.168.2.5	1.1.1.1	0x4b6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.887454987 CEST	192.168.2.5	1.1.1.1	0x3c60	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.892530918 CEST	192.168.2.5	1.1.1.1	0x46cd	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:09.895334005 CEST	192.168.2.5	1.1.1.1	0xae92	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:09.896078110 CEST	192.168.2.5	1.1.1.1	0x5b58	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 13:50:13.794713020 CEST	192.168.2.5	1.1.1.1	0xf0f9	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:13.822278023 CEST	192.168.2.5	1.1.1.1	0xc279	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:13.837474108 CEST	192.168.2.5	1.1.1.1	0xa50f	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 13:50:15.891787052 CEST	192.168.2.5	1.1.1.1	0x5da0	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.892174959 CEST	192.168.2.5	1.1.1.1	0x3813	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.892525911 CEST	192.168.2.5	1.1.1.1	0x6706	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.255738020 CEST	192.168.2.5	1.1.1.1	0xa079	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.255738020 CEST	192.168.2.5	1.1.1.1	0x6c74	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.255992889 CEST	192.168.2.5	1.1.1.1	0xf070	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.264564037 CEST	192.168.2.5	1.1.1.1	0x731b	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:16.265186071 CEST	192.168.2.5	1.1.1.1	0x18de	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 25, 2024 13:50:16.265229940 CEST	192.168.2.5	1.1.1.1	0xd476	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:16.275760889 CEST	192.168.2.5	1.1.1.1	0x26d6	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.276544094 CEST	192.168.2.5	1.1.1.1	0x946e	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.284612894 CEST	192.168.2.5	1.1.1.1	0xe779	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.285729885 CEST	192.168.2.5	1.1.1.1	0xe25b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.294101954 CEST	192.168.2.5	1.1.1.1	0xeaf1	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:16.294137001 CEST	192.168.2.5	1.1.1.1	0x3a3f	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 25, 2024 13:50:21.558072090 CEST	192.168.2.5	1.1.1.1	0x3d77	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:34.760010004 CEST	192.168.2.5	1.1.1.1	0x4b46	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:35.046212912 CEST	192.168.2.5	1.1.1.1	0xc1b7	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 13:50:35.067578077 CEST	192.168.2.5	1.1.1.1	0xcba7	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.082222939 CEST	192.168.2.5	1.1.1.1	0x55c8	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.090727091 CEST	192.168.2.5	1.1.1.1	0x91c7	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.095453024 CEST	192.168.2.5	1.1.1.1	0xa2e1	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.102586031 CEST	192.168.2.5	1.1.1.1	0x8648	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 25, 2024 13:50:35.105418921 CEST	192.168.2.5	1.1.1.1	0x872b	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:55.384071112 CEST	192.168.2.5	1.1.1.1	0xcc85	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:55.392580032 CEST	192.168.2.5	1.1.1.1	0xad89	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 13:50:56.022059917 CEST	192.168.2.5	1.1.1.1	0x756d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:51:05.800525904 CEST	192.168.2.5	1.1.1.1	0x3f63	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 13:51:06.463120937 CEST	192.168.2.5	1.1.1.1	0x33f4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:51:37.138166904 CEST	192.168.2.5	1.1.1.1	0x6e47	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:51:37.147794008 CEST	192.168.2.5	1.1.1.1	0x5911	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 13:50:06.302129030 CEST	1.1.1.1	192.168.2.5	0xedc	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.319372892 CEST	1.1.1.1	192.168.2.5	0x80f	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.880702019 CEST	1.1.1.1	192.168.2.5	0x4632	No error (0)	youtube.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.884668112 CEST	1.1.1.1	192.168.2.5	0x4fa3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:06.884668112 CEST	1.1.1.1	192.168.2.5	0x4fa3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.889141083 CEST	1.1.1.1	192.168.2.5	0xd9f4	No error (0)	youtube.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.898547888 CEST	1.1.1.1	192.168.2.5	0xa533	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:06.901451111 CEST	1.1.1.1	192.168.2.5	0x34dd	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 25, 2024 13:50:06.914263010 CEST	1.1.1.1	192.168.2.5	0x2c56	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 13:50:07.261715889 CEST	1.1.1.1	192.168.2.5	0xcb03	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.271286964 CEST	1.1.1.1	192.168.2.5	0x2b47	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.449959993 CEST	1.1.1.1	192.168.2.5	0xa1d5	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:07.449959993 CEST	1.1.1.1	192.168.2.5	0xa1d5	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.450318098 CEST	1.1.1.1	192.168.2.5	0xe1e2	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:07.450318098 CEST	1.1.1.1	192.168.2.5	0xe1e2	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.459182978 CEST	1.1.1.1	192.168.2.5	0x89cc	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.486589909 CEST	1.1.1.1	192.168.2.5	0x9ad8	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.563862085 CEST	1.1.1.1	192.168.2.5	0x6a56	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:07.563862085 CEST	1.1.1.1	192.168.2.5	0x6a56	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:07.563862085 CEST	1.1.1.1	192.168.2.5	0x6a56	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.581433058 CEST	1.1.1.1	192.168.2.5	0xcac5	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.590512991 CEST	1.1.1.1	192.168.2.5	0xddfb	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 13:50:07.676568985 CEST	1.1.1.1	192.168.2.5	0xc8ac	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.676568985 CEST	1.1.1.1	192.168.2.5	0xc8ac	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.676959038 CEST	1.1.1.1	192.168.2.5	0xa72e	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:07.703035116 CEST	1.1.1.1	192.168.2.5	0xe96e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:07.703035116 CEST	1.1.1.1	192.168.2.5	0xe96e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.803798914 CEST	1.1.1.1	192.168.2.5	0xdb13	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:09.803798914 CEST	1.1.1.1	192.168.2.5	0xdb13	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.803956985 CEST	1.1.1.1	192.168.2.5	0x13dd	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.804231882 CEST	1.1.1.1	192.168.2.5	0xc0be	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.804280996 CEST	1.1.1.1	192.168.2.5	0xbb0e	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:09.804280996 CEST	1.1.1.1	192.168.2.5	0xbb0e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.804388046 CEST	1.1.1.1	192.168.2.5	0xd3c0	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:09.891437054 CEST	1.1.1.1	192.168.2.5	0x1622	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.894198895 CEST	1.1.1.1	192.168.2.5	0x4b6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:09.895145893 CEST	1.1.1.1	192.168.2.5	0x3c60	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:13.802484035 CEST	1.1.1.1	192.168.2.5	0xf0f9	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:13.802484035 CEST	1.1.1.1	192.168.2.5	0xf0f9	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:13.802484035 CEST	1.1.1.1	192.168.2.5	0xf0f9	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:13.831094980 CEST	1.1.1.1	192.168.2.5	0xc279	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:13.866358042 CEST	1.1.1.1	192.168.2.5	0xfe63	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899321079 CEST	1.1.1.1	192.168.2.5	0x5da0	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899735928 CEST	1.1.1.1	192.168.2.5	0x3813	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:15.899735928 CEST	1.1.1.1	192.168.2.5	0x3813	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:15.901026964 CEST	1.1.1.1	192.168.2.5	0x6706	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:15.901026964 CEST	1.1.1.1	192.168.2.5	0x6706	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263267994 CEST	1.1.1.1	192.168.2.5	0x6c74	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263751030 CEST	1.1.1.1	192.168.2.5	0xa079	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.263775110 CEST	1.1.1.1	192.168.2.5	0xf070	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.272252083 CEST	1.1.1.1	192.168.2.5	0x731b	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 25, 2024 13:50:16.272726059 CEST	1.1.1.1	192.168.2.5	0xd476	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 13:50:16.272726059 CEST	1.1.1.1	192.168.2.5	0xd476	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 13:50:16.272726059 CEST	1.1.1.1	192.168.2.5	0xd476	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 13:50:16.272726059 CEST	1.1.1.1	192.168.2.5	0xd476	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 13:50:16.273125887 CEST	1.1.1.1	192.168.2.5	0x18de	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 25, 2024 13:50:16.283705950 CEST	1.1.1.1	192.168.2.5	0x26d6	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:16.283705950 CEST	1.1.1.1	192.168.2.5	0x26d6	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.283705950 CEST	1.1.1.1	192.168.2.5	0x26d6	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.283705950 CEST	1.1.1.1	192.168.2.5	0x26d6	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.283705950 CEST	1.1.1.1	192.168.2.5	0x26d6	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.285053015 CEST	1.1.1.1	192.168.2.5	0x946e	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.291981936 CEST	1.1.1.1	192.168.2.5	0xe779	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.291981936 CEST	1.1.1.1	192.168.2.5	0xe779	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.291981936 CEST	1.1.1.1	192.168.2.5	0xe779	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.291981936 CEST	1.1.1.1	192.168.2.5	0xe779	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:16.293035984 CEST	1.1.1.1	192.168.2.5	0xe25b	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.052654982 CEST	1.1.1.1	192.168.2.5	0x10eb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:35.052654982 CEST	1.1.1.1	192.168.2.5	0x10eb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.077007055 CEST	1.1.1.1	192.168.2.5	0xcba7	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.077007055 CEST	1.1.1.1	192.168.2.5	0xcba7	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.077007055 CEST	1.1.1.1	192.168.2.5	0xcba7	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.077007055 CEST	1.1.1.1	192.168.2.5	0xcba7	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.091804981 CEST	1.1.1.1	192.168.2.5	0x55c8	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:35.091804981 CEST	1.1.1.1	192.168.2.5	0x55c8	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.100214958 CEST	1.1.1.1	192.168.2.5	0x91c7	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.100214958 CEST	1.1.1.1	192.168.2.5	0x91c7	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.100214958 CEST	1.1.1.1	192.168.2.5	0x91c7	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.100214958 CEST	1.1.1.1	192.168.2.5	0x91c7	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:35.104718924 CEST	1.1.1.1	192.168.2.5	0xa2e1	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:36.385492086 CEST	1.1.1.1	192.168.2.5	0x5c96	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:36.385492086 CEST	1.1.1.1	192.168.2.5	0x5c96	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:55.391562939 CEST	1.1.1.1	192.168.2.5	0xcc85	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:50:56.029664040 CEST	1.1.1.1	192.168.2.5	0x756d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:50:56.029664040 CEST	1.1.1.1	192.168.2.5	0x756d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:51:05.795782089 CEST	1.1.1.1	192.168.2.5	0xe54f	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:51:06.470423937 CEST	1.1.1.1	192.168.2.5	0x33f4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 13:51:06.470423937 CEST	1.1.1.1	192.168.2.5	0x33f4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 13:51:37.146457911 CEST	1.1.1.1	192.168.2.5	0x6e47	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	34.107.221.82	80	768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 13:50:06.954994917 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:07.560718060 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84013 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49720	34.107.221.82	80	768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 13:50:07.710675001 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:08.306524038 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76245 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49725	34.107.221.82	80	768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 13:50:08.256567955 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:09.801433086 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84014 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:09.802716970 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84014 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:09.802783012 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84014 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:09.802937031 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84014 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:09.850771904 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:09.976145029 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84015 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:13.855729103 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:13.982439041 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84019 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:14.384717941 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:14.510560989 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84020 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:14.521426916 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:14.647239923 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84020 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:20.249420881 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:20.374982119 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84026 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:22.095398903 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:22.226052999 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84028 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:24.344928980 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:24.470278025 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84030 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:34.481952906 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:50:35.382935047 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:35.509874105 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84041 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:35.720021963 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:35.845868111 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84041 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:36.370548964 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:36.497056961 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84042 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:50:46.501219034 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:50:56.021764040 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:50:56.147711992 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84062 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:51:06.174088955 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:51:06.462945938 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:51:06.588743925 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84072 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:51:16.589399099 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:51:26.603071928 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:51:36.617203951 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:51:37.775737047 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 13:51:37.901633024 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 84103 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 13:51:47.912158012 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:51:57.924854040 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:52:07.952101946 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49726	34.107.221.82	80	768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 13:50:09.838479042 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:10.457397938 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76247 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:13.795726061 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:13.925431967 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76250 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:13.986176014 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:14.116405964 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76251 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:14.515800953 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:14.645785093 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76251 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:14.650608063 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:14.780311108 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76251 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:21.212132931 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:21.341784954 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76258 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:22.291663885 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:22.421153069 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76259 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:25.424180031 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:25.554053068 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76262 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:35.512813091 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:35.643007040 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76272 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:35.850311041 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:35.980700970 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76272 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:36.500180960 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:36.630074024 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76273 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:50:46.632910967 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:50:56.164285898 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:50:56.294116974 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76293 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:51:06.312357903 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:51:06.616822958 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:51:06.747021914 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76303 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:51:16.758860111 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:51:26.772568941 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:51:36.780163050 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:51:37.905648947 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 13:51:38.036195040 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 14:39:23 GMT Age: 76334 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 13:51:48.050246954 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:51:58.063083887 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 13:52:08.083865881 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	07:50:00
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x930000
File size:	919'552 bytes
MD5 hash:	E2E50901CA2C794CB21BC264F810225D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2133850199.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2134126493.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:50:00
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:50:00
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:50:02
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:50:02
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:50:02
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:50:02
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:50:02
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:50:02
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:50:03
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:50:03
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:50:03
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:50:03
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:50:03
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	07:50:04
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb573d6b-3cc0-446c-a205-dc8b324aeea6} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2166b66fb10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	07:50:05
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20230927232528 -prefsHandle 3972 -prefMapHandle 4124 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7a6247a-fa7b-4532-9435-f40874f1d950} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2167dadc510 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	07:50:08
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4744 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6871b4da-64c6-482a-a921-42f46f1556ab} 768 "\\.\pipe\gecko-crash-server-pipe.768" 2167d5c1f10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1607
Total number of Limit Nodes:	57

Executed Functions

Function 009342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0093430D

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

GetCurrentProcess.KERNEL32(?,009CCB64,00000000,?,?), ref: 00934422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00934429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00934454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00934466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00934474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0093447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009344A0

Strings

GetNativeSystemInfo, xrefs: 00934460
|O, xrefs: 009736F8
kernel32.dll, xrefs: 0093444F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b6b3432ff1a00773be336ba11866528ba4552a561dd78a75a39a9715be32d26a
Instruction ID: b7ca3779e47c20b991f89c59025a36eff7bdd876b050781650df36026e096dec
Opcode Fuzzy Hash: b6b3432ff1a00773be336ba11866528ba4552a561dd78a75a39a9715be32d26a
Instruction Fuzzy Hash: 9FA1B66291E2C8DFC795C7E97C856D57FE87B26300F0898A9E0459BA32D2245907EF23

Function 009342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009350AA,?,?,00000000,00000000), ref: 009342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009350AA,?,?,00000000,00000000), ref: 009342C9
LoadResource.KERNEL32(?,00000000,?,?,009350AA,?,?,00000000,00000000,?,?,?,?,?,?,00934F20), ref: 009735BE
SizeofResource.KERNEL32(?,00000000,?,?,009350AA,?,?,00000000,00000000,?,?,?,?,?,?,00934F20), ref: 009735D3
LockResource.KERNEL32(009350AA,?,?,009350AA,?,?,00000000,00000000,?,?,?,?,?,?,00934F20,?), ref: 009735E6

Strings

SCRIPT, xrefs: 009342BF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2f221e9e43f6ff91a049390f60fdb07d746e74eb68c770a0604f5cc7b60bae43
Instruction ID: e05f1567cfb775a32bf47a41f67b14aeaddb1984e8ea519ed3545139843fd1bb
Opcode Fuzzy Hash: 2f221e9e43f6ff91a049390f60fdb07d746e74eb68c770a0604f5cc7b60bae43
Instruction Fuzzy Hash: 93117CB1600700BFD7218BA6DC48F277BBDEBCAB51F158169F42A96690DB71EC009A20

Function 00972BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00932B6B

Part of subcall function 00933A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A01418,?,00932E7F,?,?,?,00000000), ref: 00933A78

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,009F2224), ref: 00972C10
ShellExecuteW.SHELL32(00000000,?,?,009F2224), ref: 00972C17

Strings

runas, xrefs: 00972C0B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: caa1d74e2343a043840dba68fc964f699bc823a621d5a163072c91d7dc51bff7
Instruction ID: 1cb398253d25649e4b12011242806a9d8947b166b0fe3d59383f615b6049b201
Opcode Fuzzy Hash: caa1d74e2343a043840dba68fc964f699bc823a621d5a163072c91d7dc51bff7
Instruction Fuzzy Hash: AE11B6716483456AC718FF70E851FBEBBA8AFD2350F44942DF186520A2DF718A4ADF12

Function 0099D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0099D501
Process32FirstW.KERNEL32(00000000,?), ref: 0099D50F
Process32NextW.KERNEL32(00000000,?), ref: 0099D52F
CloseHandle.KERNELBASE(00000000), ref: 0099D5DC

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7c617d693f54af0d61c810c3cd5acb06f65e7a31fa78cbb1195c57a5fc887644
Instruction ID: bf215d67f2a2a33289b61d49401e18ded50b03030c06668e1c977b4fc5e138f0
Opcode Fuzzy Hash: 7c617d693f54af0d61c810c3cd5acb06f65e7a31fa78cbb1195c57a5fc887644
Instruction Fuzzy Hash: BB318D711083009FD700EF64C881BAFBBE8EFD9354F14092DF585861A1EB71A949CB93

Function 0099DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00975222), ref: 0099DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0099DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0099DBEE
FindClose.KERNEL32(00000000), ref: 0099DBFA

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 8e8bfcd64e1f34fbdef29597c4512724505e87bf6d3ab28c2dd50a132e361162
Instruction ID: ada4b984e905960c9a0414b3bdad38bf6ee3244e2dcdecd2d929b4568b33221e
Opcode Fuzzy Hash: 8e8bfcd64e1f34fbdef29597c4512724505e87bf6d3ab28c2dd50a132e361162
Instruction Fuzzy Hash: 72F0A0B0829910578A206B7CEC4D8AA7B6C9E01334B544702F8BAC20E0FBB0995596D5

Function 00954CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009628E9,?,00954CBE,009628E9,009F88B8,0000000C,00954E15,009628E9,00000002,00000000,?,009628E9), ref: 00954D09
TerminateProcess.KERNEL32(00000000,?,00954CBE,009628E9,009F88B8,0000000C,00954E15,009628E9,00000002,00000000,?,009628E9), ref: 00954D10
ExitProcess.KERNEL32 ref: 00954D22

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bcf16210215b68b9a0239b82b8d79719f647b6d6d5390449318ca84bd1cd9ebe
Instruction ID: 2dfcd977253a188fb0e706c099f251293188b20840762fea3a949899b6675ea9
Opcode Fuzzy Hash: bcf16210215b68b9a0239b82b8d79719f647b6d6d5390449318ca84bd1cd9ebe
Instruction Fuzzy Hash: A3E0B671814148ABCF51AF55EE0AE583F79FB81786F148018FC098B162CB36ED86DB90

Function 009BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 009BB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009BB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009BB1D4
_wcslen.LIBCMT ref: 009BB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009BB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009BB236
_wcslen.LIBCMT ref: 009BB332

Part of subcall function 009A05A7: GetStdHandle.KERNEL32(000000F6), ref: 009A05C6

_wcslen.LIBCMT ref: 009BB34B
_wcslen.LIBCMT ref: 009BB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009BB3B6
GetLastError.KERNEL32(00000000), ref: 009BB407
CloseHandle.KERNEL32(?), ref: 009BB439
CloseHandle.KERNEL32(00000000), ref: 009BB44A
CloseHandle.KERNEL32(00000000), ref: 009BB45C
CloseHandle.KERNEL32(00000000), ref: 009BB46E
CloseHandle.KERNEL32(?), ref: 009BB4E3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 14e088f01489e4dcb1c1c68aaaed03a623b759444befb348c6d5f72544d5d697
Instruction ID: 8a409974be5944b50e52df11087d2962b33cf2ffd9362017fbd86f189d2c3443
Opcode Fuzzy Hash: 14e088f01489e4dcb1c1c68aaaed03a623b759444befb348c6d5f72544d5d697
Instruction Fuzzy Hash: 0DF19C715083009FC724EF24C991B6EBBE5AFC5724F14895DF8998B2A2DB71EC44CB52

Function 0093D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0093D807
timeGetTime.WINMM ref: 0093DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0093DB28
TranslateMessage.USER32(?), ref: 0093DB7B
DispatchMessageW.USER32(?), ref: 0093DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0093DB9F
Sleep.KERNELBASE(0000000A), ref: 0093DBB1

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 711d22b31b3d140c6ec6ddc88ac5690eb8eb883761a8d9c1565a30a26719f3c4
Instruction ID: ba9c3baed57eb96c3ee058527375fafea745ae4cd85f0e1d9fbc8bd00daabd28
Opcode Fuzzy Hash: 711d22b31b3d140c6ec6ddc88ac5690eb8eb883761a8d9c1565a30a26719f3c4
Instruction Fuzzy Hash: 7842E07060A341DFD728DF24D8A4BAAB7E8BF86304F14895DE49687391D774E845CF82

Function 00932CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00932D07
RegisterClassExW.USER32(00000030), ref: 00932D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00932D42
InitCommonControlsEx.COMCTL32(?), ref: 00932D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00932D6F
LoadIconW.USER32(000000A9), ref: 00932D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00932D94

Strings

+, xrefs: 00932CF0
AutoIt v3 GUI, xrefs: 00932D23
TaskbarCreated, xrefs: 00932D37
0, xrefs: 00932CE9

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cf63a9704118d0a294b4e5d007404123e4ac0dbbd55d7dd213a404bfac628bb5
Instruction ID: fd673590ddc436c9c6bbf5a9d47c18ece99b6ac94484dbbff5380d0b4bdf6e6a
Opcode Fuzzy Hash: cf63a9704118d0a294b4e5d007404123e4ac0dbbd55d7dd213a404bfac628bb5
Instruction Fuzzy Hash: 7021AEB5D15318AFDB00DFE4E889BDDBFB4FB08744F00811AE615A62A0D7B146469F91

Function 0097065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0097039A: CreateFileW.KERNELBASE(00000000,00000000,?,00970704,?,?,00000000,?,00970704,00000000,0000000C), ref: 009703B7

GetLastError.KERNEL32 ref: 0097076F
__dosmaperr.LIBCMT ref: 00970776
GetFileType.KERNELBASE(00000000), ref: 00970782
GetLastError.KERNEL32 ref: 0097078C
__dosmaperr.LIBCMT ref: 00970795
CloseHandle.KERNEL32(00000000), ref: 009707B5
CloseHandle.KERNEL32(?), ref: 009708FF
GetLastError.KERNEL32 ref: 00970931
__dosmaperr.LIBCMT ref: 00970938

Strings

H, xrefs: 009708BD

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 46804ff9d4e1721b0cc7b9dcc436e71b76c9a08ab564dc3b8402b187726ddd55
Instruction ID: 2bfdf69c84b4cc14cc2b0733e58c75540b54d918a00085bcfec2a24e73786df5
Opcode Fuzzy Hash: 46804ff9d4e1721b0cc7b9dcc436e71b76c9a08ab564dc3b8402b187726ddd55
Instruction Fuzzy Hash: 49A13533A14149CFDF19EF68DC61BAE3BA4AB86320F14815DF8199B291CB319813DB91

Function 0093344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00933A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A01418,?,00932E7F,?,?,?,00000000), ref: 00933A78

Part of subcall function 00933357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00933379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0093356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0097318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009731CE
RegCloseKey.ADVAPI32(?), ref: 00973210
_wcslen.LIBCMT ref: 00973277
_wcslen.LIBCMT ref: 00973286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00933560
\, xrefs: 0097328C
\Include\, xrefs: 00933527
Include, xrefs: 00973184, 009731C5

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ddbda5c325b3e5d2dd301c19148a9b9659f85fba78266e8d79122bb0c36fd335
Instruction ID: 7d49a89eabf4528a7c352202e8176fbedcec56fe32e8530643a55d9e6a75b6c1
Opcode Fuzzy Hash: ddbda5c325b3e5d2dd301c19148a9b9659f85fba78266e8d79122bb0c36fd335
Instruction Fuzzy Hash: 6C71A1714083059EC314DFA5EC96A5BBBE8FFD4340F40882EF5899B1A1DB749A4ACB52

Function 00932B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00932B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00932B9D
LoadIconW.USER32(00000063), ref: 00932BB3
LoadIconW.USER32(000000A4), ref: 00932BC5
LoadIconW.USER32(000000A2), ref: 00932BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00932BEF
RegisterClassExW.USER32(?), ref: 00932C40

Part of subcall function 00932CD4: GetSysColorBrush.USER32(0000000F), ref: 00932D07
Part of subcall function 00932CD4: RegisterClassExW.USER32(00000030), ref: 00932D31
Part of subcall function 00932CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00932D42
Part of subcall function 00932CD4: InitCommonControlsEx.COMCTL32(?), ref: 00932D5F
Part of subcall function 00932CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00932D6F
Part of subcall function 00932CD4: LoadIconW.USER32(000000A9), ref: 00932D85
Part of subcall function 00932CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00932D94

Strings

0, xrefs: 00932C0F
AutoIt v3, xrefs: 00932C2F
#, xrefs: 00932C16

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5f3c31c804ab0cb44d38d4f60318ee8c3b9ad79bb9951262376694448b852a2f
Instruction ID: daa45c22ce0b1e8ce566b90fe141a293d85065c65ee625d47d1400e8b7c875ac
Opcode Fuzzy Hash: 5f3c31c804ab0cb44d38d4f60318ee8c3b9ad79bb9951262376694448b852a2f
Instruction Fuzzy Hash: F82125B0E10318ABDB50DFE5EC59EE97FF4FB48B54F04001AF504AA6A0D3B106429F91

Function 00933170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0093316A,?,?), ref: 009331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0093316A,?,?), ref: 00933204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00933227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0093316A,?,?), ref: 00933232
CreatePopupMenu.USER32 ref: 00933246
PostQuitMessage.USER32(00000000), ref: 00933267

Strings

TaskbarCreated, xrefs: 0093322D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5953430555026f321cb240b1d251c8b1231ee3f8f5198677073c107ddf72f3be
Instruction ID: 31f41875d8289dce0dbda389e317fdf4b845801b35b32baadd140fab31f15731
Opcode Fuzzy Hash: 5953430555026f321cb240b1d251c8b1231ee3f8f5198677073c107ddf72f3be
Instruction Fuzzy Hash: 14417D756D8208ABDF145BBCDC0DBBA3A1DEB45340F04C125F51A861E1D7798E429F61

Function 00931410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00931459
CoUninitialize.COMBASE ref: 009314F8
UnregisterHotKey.USER32(?), ref: 009316DD
DestroyWindow.USER32(?), ref: 009724B9
FreeLibrary.KERNEL32(?), ref: 0097251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0097254B

Strings

close all, xrefs: 00931454

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ac50cd35c2b4c785c7ec4c2316f488f0d377f8b8a9322d9c6bcaaee0263f3917
Instruction ID: cb3c756552802d344b509b04a9cd9c316abfc1c2ef3e64e6e046961808378192
Opcode Fuzzy Hash: ac50cd35c2b4c785c7ec4c2316f488f0d377f8b8a9322d9c6bcaaee0263f3917
Instruction Fuzzy Hash: 2FD15B72711212CFCB29EF55C899F29F7A4BF45700F1482AEE44AAB261DB31AD12CF51

Function 00932C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00932C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00932CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00931CAD,?), ref: 00932CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00931CAD,?), ref: 00932CCF

Strings

AutoIt v3, xrefs: 00932C89, 00932C8E, 00932C8F
edit, xrefs: 00932CAC

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 56be1a94e37840e7a7629b285f7a86685e568c276673c33c53e6bd86776ae3d6
Instruction ID: d44e11aae17a94f20e9701a8e67ce361d78ba172403af32d28ddd2fd4942aecb
Opcode Fuzzy Hash: 56be1a94e37840e7a7629b285f7a86685e568c276673c33c53e6bd86776ae3d6
Instruction Fuzzy Hash: 2EF0DAB99403987AEB715757AC0CEB72EBDD7C6F50B00105EF904AA5A0C6711853DAB2

Function 00933B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00933B0F,SwapMouseButtons,00000004,?), ref: 00933B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00933B0F,SwapMouseButtons,00000004,?), ref: 00933B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00933B0F,SwapMouseButtons,00000004,?), ref: 00933B83

Strings

Control Panel\Mouse, xrefs: 00933B3E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e9beb4bd48c9e20eba7aebe0e9de328513f0507b39a1304888a682ea1d791739
Instruction ID: 6ee2d2377a4f2d9213431838c9493d12747995d7ba0129210f18743cd7fea92a
Opcode Fuzzy Hash: e9beb4bd48c9e20eba7aebe0e9de328513f0507b39a1304888a682ea1d791739
Instruction Fuzzy Hash: BB112AB5560208FFDB20CFA5DC44EBEBBBDEF05744F108959E805D7110D2319E40AB60

Function 00933923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009733A2

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00933A04

Strings

Line: , xrefs: 009733EB

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 8aafdab4c5a84cc4d8565c1938975ee2bc70fbb25126196e6a9311a3e4d8e91f
Instruction ID: 469bc914e6a03540bcd8af6e7697d18579bbfe64134e439787a9cdf763ae602b
Opcode Fuzzy Hash: 8aafdab4c5a84cc4d8565c1938975ee2bc70fbb25126196e6a9311a3e4d8e91f
Instruction Fuzzy Hash: F331D271448304EAD325EB60DC45BEBB7ECAB80714F00C92EF59983191EB749A4ACBC3

Function 0094FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00950668

Part of subcall function 009532A4: RaiseException.KERNEL32(?,?,?,0095068A,?,00A01444,?,?,?,?,?,?,0095068A,00931129,009F8738,00931129), ref: 00953304

__CxxThrowException@8.LIBVCRUNTIME ref: 00950685

Strings

Unknown exception, xrefs: 00950692

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b1aa7b6035881cd0958c47f4984aa3fc4ba8034a6f8c56becd71c78f8c38c095
Instruction ID: f90d8feec442bd4d9e1c6da36fbc9708e355f9d1dca4f9cea85151d4de00c399
Opcode Fuzzy Hash: b1aa7b6035881cd0958c47f4984aa3fc4ba8034a6f8c56becd71c78f8c38c095
Instruction Fuzzy Hash: E1F0FF2090020E638B00FAA6D85AE9E776C5EC0341B604530BD24828D1EF71DA6EC780

Function 009310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00931BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00931BF4
Part of subcall function 00931BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00931BFC
Part of subcall function 00931BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00931C07
Part of subcall function 00931BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00931C12
Part of subcall function 00931BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00931C1A
Part of subcall function 00931BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00931C22

Part of subcall function 00931B4A: RegisterWindowMessageW.USER32(00000004,?,009312C4), ref: 00931BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0093136A
OleInitialize.OLE32 ref: 00931388
CloseHandle.KERNEL32(00000000,00000000), ref: 009724AB

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 14639b9ac14f393248276e52236fb7e3001630d44cf85116bc3ae06960ae14a9
Instruction ID: eef676b387e8d7fbc253db0a7e676eadfc83250a18693a6ddf26456d9b40b8ec
Opcode Fuzzy Hash: 14639b9ac14f393248276e52236fb7e3001630d44cf85116bc3ae06960ae14a9
Instruction Fuzzy Hash: 597198B4D113088FC384EFB9AD95AD53AE4FB88344B54822EE04ADB2B1EB316547CF55

Function 0099C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00933923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00933A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0099C259
KillTimer.USER32(?,00000001,?,?), ref: 0099C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0099C270

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 2e6b530464f8786eb418c82496d40e5f8e6e44ad00bce63c1b8ddf4827b5f6a5
Instruction ID: 54cebe066267240f8e1a5237f113c8b9588ea0982bde37c0ca67cf9b648082a7
Opcode Fuzzy Hash: 2e6b530464f8786eb418c82496d40e5f8e6e44ad00bce63c1b8ddf4827b5f6a5
Instruction Fuzzy Hash: 033195B0904344AFEF32DF688C55BEBBBEC9B06704F00449AD5EE97241C7746A85CB51

Function 009686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,009685CC,?,009F8CC8,0000000C), ref: 00968704
GetLastError.KERNEL32(?,009685CC,?,009F8CC8,0000000C), ref: 0096870E
__dosmaperr.LIBCMT ref: 00968739

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: faa7fdf68b5a132febad16b44e7d4debe2fe7fa8b4edc772938a657ca1ce44fd
Instruction ID: 4ae727452f5b080d6018cec4d04f19efaaab25e4d50767261779225b7fae5a58
Opcode Fuzzy Hash: faa7fdf68b5a132febad16b44e7d4debe2fe7fa8b4edc772938a657ca1ce44fd
Instruction Fuzzy Hash: DA016D33A0566066D634A334E849F7F6B4D4BC2B74F3A0319F9188B2D2DEB1CC829290

Function 0093DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0093DB7B
DispatchMessageW.USER32(?), ref: 0093DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0093DB9F
Sleep.KERNELBASE(0000000A), ref: 0093DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00981CC9

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: c14d32f57cca41336956a9e7beef11f0ebbe30669b2870e36dcd6bca7f67d726
Instruction ID: 8d0e6720def3596d9b5eb8d38d580c272685ab4fb751d0797faf12bb9d63f4af
Opcode Fuzzy Hash: c14d32f57cca41336956a9e7beef11f0ebbe30669b2870e36dcd6bca7f67d726
Instruction Fuzzy Hash: D3F05E70A493849BE730DBA0DC99FEA77BCEB84310F104918F64A830C0DB30A5499F25

Function 00941310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009417F6

Strings

CALL, xrefs: 009417C6

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ff57507acce59cb284f4d03f078c6c8563aa75c0c31b736ed6e845e129b8c0e4
Instruction ID: 101623d3650860205336a728897fa1753b423e47a38b73eb74bcfcd6924ae57f
Opcode Fuzzy Hash: ff57507acce59cb284f4d03f078c6c8563aa75c0c31b736ed6e845e129b8c0e4
Instruction Fuzzy Hash: 9B2268706083019FC714DF24C894F2ABBE5BF89314F24895DF49A8B3A2D775E985CB92

Function 00932DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00972C8C

Part of subcall function 00933AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00933A97,?,?,00932E7F,?,?,?,00000000), ref: 00933AC2

Part of subcall function 00932DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00932DC4

Strings

X, xrefs: 00972C5A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: e54a4ce3483eebe4335bfaa01f0a7076c1188896ba2c0fb81f71f6142fedf9bc
Instruction ID: 11f1ca14f8e54ba2c1804bf3cc0b2faa1ec52731ed24a8035927ebb655eeb2a5
Opcode Fuzzy Hash: e54a4ce3483eebe4335bfaa01f0a7076c1188896ba2c0fb81f71f6142fedf9bc
Instruction Fuzzy Hash: 2821A571A1025C9FCF11EF94C849BEE7BFCAF89704F008059E549B7241DBB85A498FA1

Function 00933837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00933908

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 87ba0f46ec1d7c336858e22f5b21f34f9354ba69baa7b2e04b168cb61b2bd6ae
Instruction ID: fcf80e39b46c6ed221e8cace106d415c08c1c2f75d8e8e6b944987487bf31128
Opcode Fuzzy Hash: 87ba0f46ec1d7c336858e22f5b21f34f9354ba69baa7b2e04b168cb61b2bd6ae
Instruction Fuzzy Hash: A9318EB0904301DFD760DF64D884B97BBE8FB49709F00492EF59987290E771AA45CB92

Function 0094F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0094F661

Part of subcall function 0093D730: GetInputState.USER32 ref: 0093D807

Sleep.KERNEL32(00000000), ref: 0098F2DE

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 6ffcccc42334a3f9cd4a52bf7baf7f83d4bf0318976a3caca48465ea89f584ec
Instruction ID: 835cd3de61dd382eff09ae23f599100d373c8dcac9ff8005c9d62999661be56f
Opcode Fuzzy Hash: 6ffcccc42334a3f9cd4a52bf7baf7f83d4bf0318976a3caca48465ea89f584ec
Instruction Fuzzy Hash: FDF01C716446059FD314EF69D459F6ABBE8EF85761F004029F95EC7361DB70A800CF91

Function 0093B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0093BB4E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 606ba692c8f14a33eea6b3c3728dbb959473e05a20c048c9bda09a229b296af5
Instruction ID: 89d2b28b2f6b648bbc749d740bd7dd1c464062120d72e69b07a5ab8491b41b9b
Opcode Fuzzy Hash: 606ba692c8f14a33eea6b3c3728dbb959473e05a20c048c9bda09a229b296af5
Instruction Fuzzy Hash: 7D32AD35A00209DFDB24DF54C898BBEB7B9EF84314F14805AEA15AB391C778AD46CF91

Function 00934ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00934E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00934EDD,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E9C
Part of subcall function 00934E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00934EAE
Part of subcall function 00934E90: FreeLibrary.KERNEL32(00000000,?,?,00934EDD,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934EFD

Part of subcall function 00934E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00973CDE,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E62
Part of subcall function 00934E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00934E74
Part of subcall function 00934E59: FreeLibrary.KERNEL32(00000000,?,?,00973CDE,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E87

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7137bdaef0dec3a059252842f71625feab7e7e937d24008e287e50ff7390c61b
Instruction ID: 3997cdd69cac1729e7db7dfe3d7c3a6404ff31cd22f97d62af66aaba2352a8fb
Opcode Fuzzy Hash: 7137bdaef0dec3a059252842f71625feab7e7e937d24008e287e50ff7390c61b
Instruction Fuzzy Hash: 8D112332600205AACF24EB64DC02FAD77A5AF80B10F15842DF446A61C1EE74EE05AF50

Function 00968402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00968440

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 067e6f725f5eb6d5fadf9fcd0da3c11812ae09092af84a7c08cc8e77a311296f
Instruction ID: 395de02f56d6b4f860f8db759edda963c4aef87dd5f93870da399ea5dd918b60
Opcode Fuzzy Hash: 067e6f725f5eb6d5fadf9fcd0da3c11812ae09092af84a7c08cc8e77a311296f
Instruction Fuzzy Hash: 7011187590410AAFCB05DF58E941A9B7BF9EF49314F114199F808AB312DA31DA11CBA5

Function 00965000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00964C7D: RtlAllocateHeap.NTDLL(00000008,00931129,00000000,?,00962E29,00000001,00000364,?,?,?,0095F2DE,00963863,00A01444,?,0094FDF5,?), ref: 00964CBE

_free.LIBCMT ref: 0096506C

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: c8576dc8c032208d0064debafd0d5ba52f616d5a390ea7c6be0b8cab0278578c
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 7E0126722047056BE3218F65D881A9AFBECFBC9370F26051DE18893280EA30A805C6B4

Function 0095E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 92e012a2dcd6a50b176792bf70109100d78ca02c84521e8075b080f28d5acdb2
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 20F04432502A109AC735BB6B9C05B5B338D8FD23B3F100B15FC20921C2CB75E90A87A5

Function 00964C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00931129,00000000,?,00962E29,00000001,00000364,?,?,?,0095F2DE,00963863,00A01444,?,0094FDF5,?), ref: 00964CBE

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b2d0199680c83276b312c6cf9aa97916aae39b659c43638a2e4ac3af2f0495d0
Instruction ID: 1fde7bfb4944483c5b3d37bbe1393d22c7155feacdfbe49f81040ea0e80e7b34
Opcode Fuzzy Hash: b2d0199680c83276b312c6cf9aa97916aae39b659c43638a2e4ac3af2f0495d0
Instruction Fuzzy Hash: CAF0E93164622467DB219FE79C09FDA378CBFC17B1B148111FC9AEA380CA38D80197E0

Function 00963820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6,?,00931129), ref: 00963852

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 446c476f589aab2ea0dc6c14a2800171da6221a35ab6c843ad87045058ee3c57
Instruction ID: 05b80c2317ab226f46f0231990ef0e5615a60132aea312b2dd1919b79ad9a93d
Opcode Fuzzy Hash: 446c476f589aab2ea0dc6c14a2800171da6221a35ab6c843ad87045058ee3c57
Instruction Fuzzy Hash: 02E02231100224AAE7712BB79D05FDB3B5DAF827B1F098020FC1597C81CB20DE0283E1

Function 00934F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934F6D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a9915c758ff2bfcea9613ab5ee2fb9702b293a75bb9e83d18138cb7bc7042786
Instruction ID: ed0df4d7705f6d86ff90be4e3c01f316de0fcc26495f1dd88bb0fe1b3688ac73
Opcode Fuzzy Hash: a9915c758ff2bfcea9613ab5ee2fb9702b293a75bb9e83d18138cb7bc7042786
Instruction Fuzzy Hash: 80F03071505751CFDB349F65D490812BBE4EF143197198DBEE1DA82611C735A844DF50

Function 009C2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009C2A66

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 8bcb90a4eb46bd06e6c0c887452146d05a557b3e5fafb37fcc6ce91a0619634c
Instruction ID: 1b0a57821160adfca45f33dd11ab66aa4a6e333fc1bc0023591d0b6d97887f8f
Opcode Fuzzy Hash: 8bcb90a4eb46bd06e6c0c887452146d05a557b3e5fafb37fcc6ce91a0619634c
Instruction Fuzzy Hash: CEE02632B58216AADB10EF38DC80FFE734CEF90390B10443AFC1AC2140DB34999192E0

Function 009330F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0093314E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f464345f5581afe5bdf80f2528a551c84ab42ed595304f45f9857dbe9345782e
Instruction ID: c5ee0efac4e1491d75bad1ed6899d728f42fe56355f3ba49752d0ec323029b2d
Opcode Fuzzy Hash: f464345f5581afe5bdf80f2528a551c84ab42ed595304f45f9857dbe9345782e
Instruction Fuzzy Hash: ABF06C709143189FEB92DF64DC497D57BFCA70170CF0040E5A54897191D774578ACF52

Function 00932DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00932DC4

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 53e1693b957bb8cbb3c7ae87588f07bc3085178c3428d2cb3b799c7d3049b56e
Instruction ID: 03807be31b97ddb7aea6e139a128b362c7e362b048c8915b37ee1db931aac9b7
Opcode Fuzzy Hash: 53e1693b957bb8cbb3c7ae87588f07bc3085178c3428d2cb3b799c7d3049b56e
Instruction Fuzzy Hash: 39E0CD72A041245BC71092589C05FDA77EDDFC8790F044071FD0DD7248DA60ED808A50

Function 00932B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00933837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00933908

Part of subcall function 0093D730: GetInputState.USER32 ref: 0093D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00932B6B

Part of subcall function 009330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0093314E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: be4c89d479fdf3f679eea40b647d0d30b5276bdec82c83146f0ae351b8ed3225
Instruction ID: 7f5fd2cc97846e36cd9976a28f6ba3a7a1d23542468c774e82ca1b4c0b0a205c
Opcode Fuzzy Hash: be4c89d479fdf3f679eea40b647d0d30b5276bdec82c83146f0ae351b8ed3225
Instruction Fuzzy Hash: 15E0866170424806C608BB74A8527ADA7599BD1351F40553EF146831A2CF6549464A51

Function 0097039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00970704,?,?,00000000,?,00970704,00000000,0000000C), ref: 009703B7

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ede3a14f233819364df8f2fe7800d5ebda7469636e168ce6fc70d929be628b02
Instruction ID: 1e2084b3caa51ef848e81bd102f651aaaf53d2b982955ffcae933d2052304b86
Opcode Fuzzy Hash: ede3a14f233819364df8f2fe7800d5ebda7469636e168ce6fc70d929be628b02
Instruction Fuzzy Hash: 57D06C3205410DBBDF028F85DD06EDA3FAAFB48714F014000FE1856020C732E821AB90

Function 00931CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00931CBC

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ec699faecfb7cbb99bf7f04d8cacd9984114ea06baaaa5e597ac59bcf0abdecb
Instruction ID: f32d29b72a6649473ee6f85d1ea61a6bf9d87de64badc0b0486a327e0eea5cd4
Opcode Fuzzy Hash: ec699faecfb7cbb99bf7f04d8cacd9984114ea06baaaa5e597ac59bcf0abdecb
Instruction Fuzzy Hash: D2C092366C4308AFF314CBC0BC4EF507B64A348B04F048001F60DA96E3C3A22823EB55

Non-executed Functions

Function 009C9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009C961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009C965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 009C969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009C96C9
SendMessageW.USER32 ref: 009C96F2
GetKeyState.USER32(00000011), ref: 009C978B
GetKeyState.USER32(00000009), ref: 009C9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009C97AE
GetKeyState.USER32(00000010), ref: 009C97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009C97E9
SendMessageW.USER32 ref: 009C9810
SendMessageW.USER32(?,00001030,?,009C7E95), ref: 009C9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009C992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009C9941
SetCapture.USER32(?), ref: 009C994A
ClientToScreen.USER32(?,?), ref: 009C99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009C99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009C99D6
ReleaseCapture.USER32 ref: 009C99E1
GetCursorPos.USER32(?), ref: 009C9A19
ScreenToClient.USER32(?,?), ref: 009C9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 009C9A80
SendMessageW.USER32 ref: 009C9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 009C9AEB
SendMessageW.USER32 ref: 009C9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009C9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 009C9B4A
GetCursorPos.USER32(?), ref: 009C9B68
ScreenToClient.USER32(?,?), ref: 009C9B75
GetParent.USER32(?), ref: 009C9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 009C9BFA
SendMessageW.USER32 ref: 009C9C2B
ClientToScreen.USER32(?,?), ref: 009C9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009C9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 009C9CDE
SendMessageW.USER32 ref: 009C9D01
ClientToScreen.USER32(?,?), ref: 009C9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009C9D82

Part of subcall function 00949944: GetWindowLongW.USER32(?,000000EB), ref: 00949952

GetWindowLongW.USER32(?,000000F0), ref: 009C9E05

Strings

@GUI_DRAGID, xrefs: 009C997D
F, xrefs: 009C9D07

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 726afd1d48471ea402879f26ebb525bbdee35e7d1b63d45f236d6e0af1d9ef71
Instruction ID: d86a98a3061e2dea8700b2508d09b2444581e39e43ed70b731293cae90947dc1
Opcode Fuzzy Hash: 726afd1d48471ea402879f26ebb525bbdee35e7d1b63d45f236d6e0af1d9ef71
Instruction Fuzzy Hash: 54428B70A08201AFDB24CF64CD48FAABBE9FF88354F100A1DF599872A1D731A951DF52

Function 009C4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009C48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 009C4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 009C4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 009C494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 009C495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 009C497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009C49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009C49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 009C4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009C4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009C4A7E
IsMenu.USER32(?), ref: 009C4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C4B20
GetWindowLongW.USER32(?,000000F0), ref: 009C4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 009C4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 009C4C82
wsprintfW.USER32 ref: 009C4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009C4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 009C4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009C4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009C4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 009C4D5A

Strings

%d/%02d/%02d, xrefs: 009C4CA8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 0695ff8e53c1b902b688bb8a2866d866c5d52ae8336e3ae09d57c64b4687a3f6
Instruction ID: 76b7b827412daa9e8558060ef993e0c5bc704d9c46ed426ac303b2fadc0890f2
Opcode Fuzzy Hash: 0695ff8e53c1b902b688bb8a2866d866c5d52ae8336e3ae09d57c64b4687a3f6
Instruction Fuzzy Hash: 5712FF71A00215ABEB248F28CD69FAE7BF8EF85710F10412DF51AEB2E1DB749941CB51

Function 0094F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0094F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0098F474
IsIconic.USER32(00000000), ref: 0098F47D
ShowWindow.USER32(00000000,00000009), ref: 0098F48A
SetForegroundWindow.USER32(00000000), ref: 0098F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0098F4AA
GetCurrentThreadId.KERNEL32 ref: 0098F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0098F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0098F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0098F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0098F4DE
SetForegroundWindow.USER32(00000000), ref: 0098F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0098F4F6
keybd_event.USER32(00000012,00000000), ref: 0098F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0098F50B
keybd_event.USER32(00000012,00000000), ref: 0098F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0098F519
keybd_event.USER32(00000012,00000000), ref: 0098F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0098F528
keybd_event.USER32(00000012,00000000), ref: 0098F52D
SetForegroundWindow.USER32(00000000), ref: 0098F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0098F557

Strings

Shell_TrayWnd, xrefs: 0098F46F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: de411d985b5aa6ec511b55db9ac715a6a86937d12a4bbd952593474d363191e5
Instruction ID: bc54394ddfb2a853650ab3bcd0c7962673455a6addb94fddb1a1f5dc919aaec0
Opcode Fuzzy Hash: de411d985b5aa6ec511b55db9ac715a6a86937d12a4bbd952593474d363191e5
Instruction Fuzzy Hash: A03161B1E54218BBEB206BB55C4AFBF7E6CEB44B50F10042AFA05E61D1C6B45D00BB60

Function 00991201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0099170D
Part of subcall function 009916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0099173A
Part of subcall function 009916C3: GetLastError.KERNEL32 ref: 0099174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00991286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009912A8
CloseHandle.KERNEL32(?), ref: 009912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009912D1
GetProcessWindowStation.USER32 ref: 009912EA
SetProcessWindowStation.USER32(00000000), ref: 009912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00991310

Part of subcall function 009910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009911FC), ref: 009910D4
Part of subcall function 009910BF: CloseHandle.KERNEL32(?,?,009911FC), ref: 009910E9

Strings

, xrefs: 0099125A
winsta0, xrefs: 009912CC
default, xrefs: 0099130B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: c6836f0259f42b2762272280345f6eee4e5b20f1053c2e5176906743c9358fd5
Instruction ID: 919d500a3c31dc812ddc4e3d7aaa89f5ef79d5fd64936b6108c304f93c8e7279
Opcode Fuzzy Hash: c6836f0259f42b2762272280345f6eee4e5b20f1053c2e5176906743c9358fd5
Instruction Fuzzy Hash: E4818DB190020AAFEF219FA8DD49FEE7BBDFF48704F144129F915A62A0C7318944DB24

Function 00990B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00991114
Part of subcall function 009910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991120
Part of subcall function 009910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 0099112F
Part of subcall function 009910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991136
Part of subcall function 009910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0099114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00990BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00990C00
GetLengthSid.ADVAPI32(?), ref: 00990C17
GetAce.ADVAPI32(?,00000000,?), ref: 00990C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00990C6D
GetLengthSid.ADVAPI32(?), ref: 00990C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00990C8C
HeapAlloc.KERNEL32(00000000), ref: 00990C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00990CB4
CopySid.ADVAPI32(00000000), ref: 00990CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00990CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00990D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00990D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990D45
HeapFree.KERNEL32(00000000), ref: 00990D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990D55
HeapFree.KERNEL32(00000000), ref: 00990D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990D65
HeapFree.KERNEL32(00000000), ref: 00990D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00990D78
HeapFree.KERNEL32(00000000), ref: 00990D7F

Part of subcall function 00991193: GetProcessHeap.KERNEL32(00000008,00990BB1,?,00000000,?,00990BB1,?), ref: 009911A1
Part of subcall function 00991193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00990BB1,?), ref: 009911A8
Part of subcall function 00991193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00990BB1,?), ref: 009911B7

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e48dc554cb2a380d681f65725e7088d4f666919ab9674fd7ea5badf870af6d30
Instruction ID: 6d7bd2ba0049379459605b1f6ab06b4ab934ca0ee9066e1d5bdfde525b3cf2cf
Opcode Fuzzy Hash: e48dc554cb2a380d681f65725e7088d4f666919ab9674fd7ea5badf870af6d30
Instruction Fuzzy Hash: 887159B2D0420AAFDF10DFA9DC45FAEBBBCBF44304F044515E929A7291D771AA05DBA0

Function 009AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009CCC08), ref: 009AEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 009AEB37
GetClipboardData.USER32(0000000D), ref: 009AEB43
CloseClipboard.USER32 ref: 009AEB4F
GlobalLock.KERNEL32(00000000), ref: 009AEB87
CloseClipboard.USER32 ref: 009AEB91
GlobalUnlock.KERNEL32(00000000), ref: 009AEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 009AEBC9
GetClipboardData.USER32(00000001), ref: 009AEBD1
GlobalLock.KERNEL32(00000000), ref: 009AEBE2
GlobalUnlock.KERNEL32(00000000), ref: 009AEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 009AEC38
GetClipboardData.USER32(0000000F), ref: 009AEC44
GlobalLock.KERNEL32(00000000), ref: 009AEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 009AEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009AEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009AECD2
GlobalUnlock.KERNEL32(00000000), ref: 009AECF3
CountClipboardFormats.USER32 ref: 009AED14
CloseClipboard.USER32 ref: 009AED59

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0f24730e453789f766a54c27f4925e1085bfee8f572aa397da1800f9bc3219b2
Instruction ID: 2e6885cc37ab6b0a45c4ecd9658f71aa197f34d7c181b03592a03a5a9134e720
Opcode Fuzzy Hash: 0f24730e453789f766a54c27f4925e1085bfee8f572aa397da1800f9bc3219b2
Instruction Fuzzy Hash: C461D274208302AFD300EF24D989F6ABBE8EF85754F14451DF49A972A1CB71DD06DBA2

Function 009A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009A69BE
FindClose.KERNEL32(00000000), ref: 009A6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009A6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009A6A75

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 009A6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 009A6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 009A6B32
%4d%02d%02d%02d%02d%02d, xrefs: 009A6B6A
%03d, xrefs: 009A6DA2
%4d, xrefs: 009A6BB1
%02d, xrefs: 009A6C00, 009A6C0A, 009A6C5A, 009A6CAA, 009A6CFA, 009A6D4A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 3817a1aab348145fd14ed9d5318832531ded81afd807356e485cf9bce754b133
Instruction ID: e042788332029ee7fb9b999e77470769321a04111521525ef27fcc0e58e0471f
Opcode Fuzzy Hash: 3817a1aab348145fd14ed9d5318832531ded81afd807356e485cf9bce754b133
Instruction Fuzzy Hash: 97D16EB2508300AFC714EBA4C995FABB7ECAFC9704F44491DF589D6191EB74DA04CBA2

Function 009A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009A9663
GetFileAttributesW.KERNEL32(?), ref: 009A96A1
SetFileAttributesW.KERNEL32(?,?), ref: 009A96BB
FindNextFileW.KERNEL32(00000000,?), ref: 009A96D3
FindClose.KERNEL32(00000000), ref: 009A96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009A96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 009A974A
SetCurrentDirectoryW.KERNEL32(009F6B7C), ref: 009A9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 009A9772
FindClose.KERNEL32(00000000), ref: 009A977F
FindClose.KERNEL32(00000000), ref: 009A978F

Strings

*.*, xrefs: 009A96F5

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b45dedf306ea9e81065d2bd47c32e121ad75a7202ad4bff73627c79e2b35e719
Instruction ID: 3e8857a0b25f1ae787b441cead1a5113bbb1ed82d836e43655dc3969b9d6ae77
Opcode Fuzzy Hash: b45dedf306ea9e81065d2bd47c32e121ad75a7202ad4bff73627c79e2b35e719
Instruction Fuzzy Hash: B231E4729442196EDF14EFB5EC08EEE7BACAF8A321F104155F929E2190DB30DD448FA0

Function 009A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009A97BE
FindNextFileW.KERNEL32(00000000,?), ref: 009A9819
FindClose.KERNEL32(00000000), ref: 009A9824
FindFirstFileW.KERNEL32(*.*,?), ref: 009A9840
SetCurrentDirectoryW.KERNEL32(?), ref: 009A9890
SetCurrentDirectoryW.KERNEL32(009F6B7C), ref: 009A98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009A98B8
FindClose.KERNEL32(00000000), ref: 009A98C5
FindClose.KERNEL32(00000000), ref: 009A98D5

Part of subcall function 0099DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0099DB00

Strings

*.*, xrefs: 009A983B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: cf4f3451e4559183a948147602811e31aa4c6dab2e70e69921f116c410f89ed0
Instruction ID: fbaa373aab8d4b1f36c4a5e45536472c6ca633f4bf9db72b12624ececf0fe4fb
Opcode Fuzzy Hash: cf4f3451e4559183a948147602811e31aa4c6dab2e70e69921f116c410f89ed0
Instruction Fuzzy Hash: 2731D2719442196EDF10EFB8EC48EEE7BBCEF87325F104155E924A2191DB38DA45CBA0

Function 009BBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009BB6AE,?,?), ref: 009BC9B5
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BC9F1
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA68
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009BBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 009BBFA9
RegCloseKey.ADVAPI32(00000000), ref: 009BBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009BC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009BC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009BC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009BC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 009BC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009BC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009BC382
RegCloseKey.ADVAPI32(00000000), ref: 009BC38F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: d4e6e0edc6e4e4b4872f9d90ddd9a44741ee6455135f63480df932978caaf86c
Instruction ID: b7e673fdca6024b53c55622628dfc15d2550d642753c0ddf0769d5dd5b682e16
Opcode Fuzzy Hash: d4e6e0edc6e4e4b4872f9d90ddd9a44741ee6455135f63480df932978caaf86c
Instruction Fuzzy Hash: E8026DB1604200AFC714DF28C995E6ABBE5EF89318F58C49DF84ADB2A2D731EC45CB51

Function 009A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009A8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 009A8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009A8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009A8310
SetCurrentDirectoryW.KERNEL32(?), ref: 009A8324
SetCurrentDirectoryW.KERNEL32(?), ref: 009A8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009A838C
SetCurrentDirectoryW.KERNEL32(?), ref: 009A8395

Strings

*.*, xrefs: 009A839B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 0ebe1a2ffc62d89a72a900e51e9e343b720462b10e8479b0216343ee32c4c1ae
Instruction ID: 70998a9e02def938f45a8df1c34a3314e3f4d123967ac96f03b9cfb4dfa6ec00
Opcode Fuzzy Hash: 0ebe1a2ffc62d89a72a900e51e9e343b720462b10e8479b0216343ee32c4c1ae
Instruction Fuzzy Hash: 036138B25083459FCB10EF64C840AAFB7E8FF89314F04891AF99997251EB35E945CF92

Function 0099D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00933AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00933A97,?,?,00932E7F,?,?,?,00000000), ref: 00933AC2

Part of subcall function 0099E199: GetFileAttributesW.KERNEL32(?,0099CF95), ref: 0099E19A

FindFirstFileW.KERNEL32(?,?), ref: 0099D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0099D1DD
MoveFileW.KERNEL32(?,?), ref: 0099D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0099D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0099D237

Part of subcall function 0099D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0099D21C,?,?), ref: 0099D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0099D253
FindClose.KERNEL32(00000000), ref: 0099D264

Strings

\*.*, xrefs: 0099D0CD, 0099D0D6, 0099D0EB

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d2c7e31e2df37cb6a1d7efa1280f757b189ebe45213d7f54c84a96929f9866b0
Instruction ID: ce1dceb1801995bdaf1079f28c93e08e030a4a06966a4c795bfd204cac07ca52
Opcode Fuzzy Hash: d2c7e31e2df37cb6a1d7efa1280f757b189ebe45213d7f54c84a96929f9866b0
Instruction Fuzzy Hash: 5E616B71C0610DAECF15EBE4CA92AEDB7B9AF95300F608065E45277191EB30AF09DF60

Function 009AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009AED91
EmptyClipboard.USER32 ref: 009AED97
GlobalAlloc.KERNEL32(00000002,?), ref: 009AEDAC
CloseClipboard.USER32 ref: 009AEEA3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b5dbac9f27abfcc274082b2057cfd135e75967d4d3bad0ed6205cd2b20a0b0f9
Instruction ID: 7703384f51d95781575cc55315fc4bf6280a8ce5a20a89ee05e6d185dc5ce5a3
Opcode Fuzzy Hash: b5dbac9f27abfcc274082b2057cfd135e75967d4d3bad0ed6205cd2b20a0b0f9
Instruction Fuzzy Hash: 86419A75608612AFE720CF15D988F19BBE5FF45329F14C099E42A8B6A2C735EC42CBD1

Function 0099E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0099170D
Part of subcall function 009916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0099173A
Part of subcall function 009916C3: GetLastError.KERNEL32 ref: 0099174A

ExitWindowsEx.USER32(?,00000000), ref: 0099E932

Strings

, xrefs: 0099E95C
SeShutdownPrivilege, xrefs: 0099E902
, xrefs: 0099E920
@, xrefs: 0099E925

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: fe686d2e4f977ed205a165f7c15e92b9d1da0bc14328d2a5b185021847670aaf
Instruction ID: aa105d2877b3110ab45a6a23502b2992df08673788e890da63458c0a62f45adb
Opcode Fuzzy Hash: fe686d2e4f977ed205a165f7c15e92b9d1da0bc14328d2a5b185021847670aaf
Instruction Fuzzy Hash: E701F972A24211AFEF54A6BC9C86FBF726CA714790F150821FD13E21D2D9A55C4092A0

Function 009B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009B1276
WSAGetLastError.WSOCK32 ref: 009B1283
bind.WSOCK32(00000000,?,00000010), ref: 009B12BA
WSAGetLastError.WSOCK32 ref: 009B12C5
closesocket.WSOCK32(00000000), ref: 009B12F4
listen.WSOCK32(00000000,00000005), ref: 009B1303
WSAGetLastError.WSOCK32 ref: 009B130D
closesocket.WSOCK32(00000000), ref: 009B133C

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: c406abd4cabe54a40400d87b5ee4b0dc513bccacf70b75ba9be05533b76182c4
Instruction ID: cda920e9dba5258a6fbd5f44b48ad1c72eeaa4006dd9a27e54392f0f53f256fe
Opcode Fuzzy Hash: c406abd4cabe54a40400d87b5ee4b0dc513bccacf70b75ba9be05533b76182c4
Instruction Fuzzy Hash: 45418271A001009FD710DF64C598B6ABBE5BF86328F588198E8569F2D3C771ED81CBE1

Function 0096B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0096B9D4
_free.LIBCMT ref: 0096B9F8
_free.LIBCMT ref: 0096BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009D3700), ref: 0096BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0096BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A01270,000000FF,?,0000003F,00000000,?), ref: 0096BC36
_free.LIBCMT ref: 0096BD4B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 5fa479e909c3c2ef6a630e0534f4ca5d6b96ef2d4b2d32b723b86be14d0f9317
Instruction ID: 1b2195cbf07309a96ed1206c8185638e6ca0e35ae4bc69b90ac9ccd68f984355
Opcode Fuzzy Hash: 5fa479e909c3c2ef6a630e0534f4ca5d6b96ef2d4b2d32b723b86be14d0f9317
Instruction Fuzzy Hash: 63C10671A04208AFDB24DFB9DC51BAA7BBDEF85350F1441AAE494D7291F7309E82C750

Function 0099D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00933AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00933A97,?,?,00932E7F,?,?,?,00000000), ref: 00933AC2

Part of subcall function 0099E199: GetFileAttributesW.KERNEL32(?,0099CF95), ref: 0099E19A

FindFirstFileW.KERNEL32(?,?), ref: 0099D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0099D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0099D481
FindClose.KERNEL32(00000000), ref: 0099D498
FindClose.KERNEL32(00000000), ref: 0099D4A1

Strings

\*.*, xrefs: 0099D3F2

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 03f220dd99c8530aceaae722878c2d63effce54205f827050cef9a5e34ef03f2
Instruction ID: 3b18b694caeb356f146595dcf1dd9972cf00845a676aef21212b34f32c52e564
Opcode Fuzzy Hash: 03f220dd99c8530aceaae722878c2d63effce54205f827050cef9a5e34ef03f2
Instruction Fuzzy Hash: BC317E7141D3459FC700EF64D891AAFB7A8AED1314F844A1DF4D5921A1EB20EA09DB63

Function 0096E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0096E645

Strings

1#SNAN, xrefs: 0096F844
1#QNAN, xrefs: 0096F84B
1#INF, xrefs: 0096F852
1#IND, xrefs: 0096F83D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 9a813d99b6eef08a7072384df3d9a3d465d1bfbf76aa5f153a4eacb6bf9b62e5
Instruction ID: ef61fd1aa35a5d1340e440aef9e658ae3da2fd468d9c46c55b303daf8900b130
Opcode Fuzzy Hash: 9a813d99b6eef08a7072384df3d9a3d465d1bfbf76aa5f153a4eacb6bf9b62e5
Instruction Fuzzy Hash: A3C24D71E086298FDB25CF28DD507EAB7B9EB44305F1445EAD84EE7240E778AE858F40

Function 009A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009A64DC
CoInitialize.OLE32(00000000), ref: 009A6639
CoCreateInstance.OLE32(009CFCF8,00000000,00000001,009CFB68,?), ref: 009A6650
CoUninitialize.OLE32 ref: 009A68D4

Strings

.lnk, xrefs: 009A64BA, 009A6524, 009A65E0

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: f68bc7c2eb6cab5fff92b04285bb4634c366d05ba196a30d5c354ddd41b7a576
Instruction ID: a0751acdddc098631cfd4ed817038ec09e8974735bdbf80c7fd47d73cf5c1873
Opcode Fuzzy Hash: f68bc7c2eb6cab5fff92b04285bb4634c366d05ba196a30d5c354ddd41b7a576
Instruction Fuzzy Hash: D6D13771508201AFC314EF24C881A6BB7E9FFD9704F14896DF5958B2A1EB70ED09CB92

Function 009B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009B22E8

Part of subcall function 009AE4EC: GetWindowRect.USER32(?,?), ref: 009AE504

GetDesktopWindow.USER32 ref: 009B2312
GetWindowRect.USER32(00000000), ref: 009B2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 009B2355
GetCursorPos.USER32(?), ref: 009B2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009B23DF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 0821bb968a80203b3d91e2839f0465e7715ebcbc5bbdd4f457ed5a3ceae64dbb
Instruction ID: 9e21d155f4a575bf6bfcaf3acbc82c7a8c15670854834b5f5b8e742eb158c52f
Opcode Fuzzy Hash: 0821bb968a80203b3d91e2839f0465e7715ebcbc5bbdd4f457ed5a3ceae64dbb
Instruction Fuzzy Hash: FA31AF72508315ABDB20DF54C949F9BBBEDFF88724F000919F98997191DB34EA09CB92

Function 009A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 009A9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 009A9C8B

Part of subcall function 009A3874: GetInputState.USER32 ref: 009A38CB
Part of subcall function 009A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009A3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 009A9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 009A9C75

Strings

*.*, xrefs: 009A9B5D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 9d5f8e96f47cfe37badf97f3d6c8eceb609b1a6e6529d2e40f9899900298ee26
Instruction ID: fabff0059cfb3a2e144251cea0924b7e95cf885cd4072cd6d5be9f878c0ce310
Opcode Fuzzy Hash: 9d5f8e96f47cfe37badf97f3d6c8eceb609b1a6e6529d2e40f9899900298ee26
Instruction Fuzzy Hash: BB41517194460A9FCF14DFA4CC49BEEBBB8FF46310F248155E859A2191EB309E44CFA0

Function 0094997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00949A4E
GetSysColor.USER32(0000000F), ref: 00949B23
SetBkColor.GDI32(?,00000000), ref: 00949B36

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: a141588cb8936764e96a099dae3a530e9711f304a2bf90d439e991d063ed05c3
Instruction ID: 10a5817b09adb0664687c949b4849acb9b9f804fbcfec5eadb637d354f70f09c
Opcode Fuzzy Hash: a141588cb8936764e96a099dae3a530e9711f304a2bf90d439e991d063ed05c3
Instruction Fuzzy Hash: FEA10870518454BEE729FB7C8C98FBB6A9DDB82350B244609F502C6791CA29DD02D372

Function 009B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009B307A
Part of subcall function 009B304E: _wcslen.LIBCMT ref: 009B309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009B185D
WSAGetLastError.WSOCK32 ref: 009B1884
bind.WSOCK32(00000000,?,00000010), ref: 009B18DB
WSAGetLastError.WSOCK32 ref: 009B18E6
closesocket.WSOCK32(00000000), ref: 009B1915

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 9442b46bad3ed2882bc42a137c91be9eeaa7e9892a1ba008638737d82439cfd4
Instruction ID: 4da42e774a82b97cbe3523349458fd3c0e15ef84804719b9d366bbd139ef9f9a
Opcode Fuzzy Hash: 9442b46bad3ed2882bc42a137c91be9eeaa7e9892a1ba008638737d82439cfd4
Instruction Fuzzy Hash: AE51C6B5A00200AFDB10EF24C996F6A77E5AB84718F44845CFA19AF3D3D771AD41CBA1

Function 009C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009C1CC0
IsWindowEnabled.USER32 ref: 009C1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 009C1CDB
IsIconic.USER32 ref: 009C1CE9
IsZoomed.USER32 ref: 009C1CF7

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6def1c6ea21f3e329b704c57440199334d3ba5fe3c3c2e132f9700eb66ec33aa
Instruction ID: 7853e7be362c22085d4c501c86867a007c6c19002f21ae3a5b2544d9e80e15f4
Opcode Fuzzy Hash: 6def1c6ea21f3e329b704c57440199334d3ba5fe3c3c2e132f9700eb66ec33aa
Instruction Fuzzy Hash: 3A21D671F802115FE7208F1AC844F2A7BA9EF86315F19805CF88A8B352C771EC42CB96

Function 00938060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0093843C
VUUU, xrefs: 009383E8
ERCP, xrefs: 0093813C
VUUU, xrefs: 009383FA
VUUU, xrefs: 00975DF0

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 86496572721cd44da52731d2c5e74eb41debb696b8aae588baa553aba23d92eb
Instruction ID: 796ca30f5fdfca31c5f22a84284610d0893fa773f0efa158e49429da1e9b25a6
Opcode Fuzzy Hash: 86496572721cd44da52731d2c5e74eb41debb696b8aae588baa553aba23d92eb
Instruction Fuzzy Hash: DFA2B172E0061ACBDF24CF58C8457AEB7B5BF44314F2485AAE819A7385EB749D81CF90

Function 0099AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0099AAAC
SetKeyboardState.USER32(00000080), ref: 0099AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0099AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0099AB88

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ce883344d6679a8eef56b16d6bf1f5b4752aeb1ce2c8d5cd3df326c92339f2ed
Instruction ID: a7f2bfbdd7efbf27c5264fd80cb6073c8dabaf09d32550f5a1f11a2caf61f4a4
Opcode Fuzzy Hash: ce883344d6679a8eef56b16d6bf1f5b4752aeb1ce2c8d5cd3df326c92339f2ed
Instruction Fuzzy Hash: 93312270A40208AFFF348B6D8C05BFA7BAAEB94320F04421AF185921D0D7788981D7E6

Function 009ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 009ACE89
GetLastError.KERNEL32(?,00000000), ref: 009ACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 009ACEFE

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: bb515686313367f66ce3b66e44b2a2e509b51debc0b3f63471f021988e053dee
Instruction ID: 790527d72d77fa9ec170bc3fba7d929c7138237a1db839dc665fb2cf9f52bf71
Opcode Fuzzy Hash: bb515686313367f66ce3b66e44b2a2e509b51debc0b3f63471f021988e053dee
Instruction Fuzzy Hash: 8621BDB1904305AFEB20CF65C948BA67BFCEB41358F20482EE64696151E774EE08DB90

Function 00998298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009982AA

Strings

|, xrefs: 009982DA
(, xrefs: 009982F0

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7934922f783a434a8a7a12c4d540ba7203d0dda1039e94eab8cd3a371b02ed5a
Instruction ID: 29365f21a8b82841ef282104176c30f9da08925dd68145f2e725a08f7021380e
Opcode Fuzzy Hash: 7934922f783a434a8a7a12c4d540ba7203d0dda1039e94eab8cd3a371b02ed5a
Instruction Fuzzy Hash: 1A323475A007059FCB28CF59C481A6AB7F0FF48710B15C56EE59ADB3A1EB70E981CB50

Function 009A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009A5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 009A5D17
FindClose.KERNEL32(?), ref: 009A5D5F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 7b2b3f1a6d6b433095b55797756d06d0e1e49c87bb01a4137cac899f18c389bc
Instruction ID: 64de4a7bd7d8716584da31bd9b6dbd5f2a000654f101252bd68481644440c77a
Opcode Fuzzy Hash: 7b2b3f1a6d6b433095b55797756d06d0e1e49c87bb01a4137cac899f18c389bc
Instruction Fuzzy Hash: FB516875604A019FC714CF28C494E96B7E8FF4A324F15855DE9AA8B3A2CB30E905CF91

Function 00962622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0096271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00962724
UnhandledExceptionFilter.KERNEL32(?), ref: 00962731

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a02fceb349fcf1b3be1316142bd4454d23f89bed73a77fa2644b9a221dfad147
Instruction ID: 2600c5aed102909f39f7778754b42ca9a210fae21a19f50f9e2f7d332519932a
Opcode Fuzzy Hash: a02fceb349fcf1b3be1316142bd4454d23f89bed73a77fa2644b9a221dfad147
Instruction Fuzzy Hash: 8D31D47491121CABCB21DF69DD89BDCBBB8AF48310F5041EAE81CA7260E7309F858F44

Function 009A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009A51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009A5238
SetErrorMode.KERNEL32(00000000), ref: 009A52A1

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c67c3a20b50594f49360870a00cfce72702bb8b89df2d821c42018319ea73afa
Instruction ID: 598c91176c30fe8fa7916c1c2ad5305f2b89b780157526292d09d00d008224a0
Opcode Fuzzy Hash: c67c3a20b50594f49360870a00cfce72702bb8b89df2d821c42018319ea73afa
Instruction Fuzzy Hash: 94317A75A04508DFDB00DF94D884FADBBB4FF49314F098099E809AB3A2CB31E846CB90

Function 009916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0094FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00950668
Part of subcall function 0094FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00950685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0099170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0099173A
GetLastError.KERNEL32 ref: 0099174A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 75ed65f530eea405bafa967c799d39f73a95df7c8ba9a8a70480c3626046476e
Instruction ID: 80b383b89ac03b96a993c96f15dc42001515e46e3a354f4f6a2b9e4cdbc87d06
Opcode Fuzzy Hash: 75ed65f530eea405bafa967c799d39f73a95df7c8ba9a8a70480c3626046476e
Instruction Fuzzy Hash: B81194B1814306AFDB189F54DC86E6ABBBDFF44714B24852EE05657641EB70BC418A20

Function 0099D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0099D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0099D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0099D650

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a6ed2dd3572510f555e56a4ef05384cadd713a9f598a52cdc2eabf76e3aa52a1
Instruction ID: 48dc3068c1fd34b28652c5e68716d026eb0e805b59b8725a576e6b06f3f19ccf
Opcode Fuzzy Hash: a6ed2dd3572510f555e56a4ef05384cadd713a9f598a52cdc2eabf76e3aa52a1
Instruction Fuzzy Hash: 921161B5E05228BFDB108F99EC85FAFBFBCEB45B50F108115F918E7290D6704A059BA1

Function 00991663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0099168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009916A1
FreeSid.ADVAPI32(?), ref: 009916B1

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 803a1a6974ff9f4c76a0e2402dd55d4fab926a595c55946fc0c1d629ebb33966
Instruction ID: 298018f0dcdca19e62f4c158aac3157c56a19933be5d822e55ba0381aafe5154
Opcode Fuzzy Hash: 803a1a6974ff9f4c76a0e2402dd55d4fab926a595c55946fc0c1d629ebb33966
Instruction Fuzzy Hash: E2F0F4B1D54309FBDF00DFE49C89EAEBBBCFB08604F504565E901E2181E774AA449A54

Function 0096C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0096C36C

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 68328f0f06e3a1bf816597a1065a889c3a0f41c553a07fc3c130da94d509788f
Instruction ID: ad3702935b86841721bf9365298e52c1bea6e0c73a0d389250f7726e76a274af
Opcode Fuzzy Hash: 68328f0f06e3a1bf816597a1065a889c3a0f41c553a07fc3c130da94d509788f
Instruction Fuzzy Hash: 894128B29002196BCB20DFB9DC49EBB777CEB84354F504269F955D7280E6709D418B50

Function 0098D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0098D28C

Strings

X64, xrefs: 0098D2A8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: b90a7c23a02022719f367b83f79aba520362bd5c4d7a426c0a82fd80634e740f
Instruction ID: 316348211ad3189da34b4c7e1bdafc267fa2bc0c057d32709fe3fbfc0a65c143
Opcode Fuzzy Hash: b90a7c23a02022719f367b83f79aba520362bd5c4d7a426c0a82fd80634e740f
Instruction Fuzzy Hash: E7D0C9B481611DEACF90DB90EC88DD9B77CBB04305F100551F106A2140D73495489F10

Function 0095CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 629f4bb2c76fd1edd26448e1b26e3e3fb13bab6930c56108a9a953b999f20683
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: C6022DB2E002199FDF14CFA9D8806ADBBF5EF88315F258569D819E7380D731AE45CB84

Function 009A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009A6918
FindClose.KERNEL32(00000000), ref: 009A6961

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0d0422968f20853bb2e2824c6cb4eee332d8cc2c26730c27c5bf3419bddd6880
Instruction ID: 02fae7ae9ddaab6ddfe1a6a35b5270f14308c7b336a5f2cdd3870f1b946fd5d2
Opcode Fuzzy Hash: 0d0422968f20853bb2e2824c6cb4eee332d8cc2c26730c27c5bf3419bddd6880
Instruction Fuzzy Hash: 5E118E756146009FC710DF69D488A16BBE5EF89328F18C699E4698F6A2CB30EC05CBD1

Function 009A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,009B4891,?,?,00000035,?), ref: 009A37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,009B4891,?,?,00000035,?), ref: 009A37F4

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1dd8170cee5c618e8cb0c07b2938163a220bd7dc5c7b28702eb19b06a07e829b
Instruction ID: 1872cac68bf2c71ea0fd6a365faf31b3270f112a774c74d1d3aa828aebe551e5
Opcode Fuzzy Hash: 1dd8170cee5c618e8cb0c07b2938163a220bd7dc5c7b28702eb19b06a07e829b
Instruction Fuzzy Hash: 14F0E5B1A043292BE72057669C4DFEB3AAEEFC5765F004165F50DE2281DAA09904C6F0

Function 0099B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0099B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0099B270

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d55bae8f30e163cc1b35dd7b638a6259fdfd8b8267e639fd49233274bf941232
Instruction ID: 3efd4d4b961fccd0e3332a7ae87d5835481233e9efe0a7ff81ec40dbda891b6b
Opcode Fuzzy Hash: d55bae8f30e163cc1b35dd7b638a6259fdfd8b8267e639fd49233274bf941232
Instruction Fuzzy Hash: 5BF01D7181428DABDF059FA4D805BAE7FB4FF04305F00841AF965A5191C37D96119F94

Function 009910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009911FC), ref: 009910D4
CloseHandle.KERNEL32(?,?,009911FC), ref: 009910E9

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d1765788b81e9471a99dd87dcf83d6cfda56b8d2fba0c85a0b3044ef8af1c33d
Instruction ID: 0bb6d8402de5cc084b4add5ea1a53f4354b0b056d3d9ec2a855307208283e1bc
Opcode Fuzzy Hash: d1765788b81e9471a99dd87dcf83d6cfda56b8d2fba0c85a0b3044ef8af1c33d
Instruction Fuzzy Hash: 9EE0BF72418651AEEB252B55FC05F777BA9FB04311F14882DF5A6804B1DB626C90EB50

Function 0093CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00980C40

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 9e806fbfea9c3e176575ac26133025c2000a3e9470e5840720c0be5af8b899da
Instruction ID: 3938e312d3847c19fde6525a68b31d37205204eea7b0cb8dd6147d75b3cd8195
Opcode Fuzzy Hash: 9e806fbfea9c3e176575ac26133025c2000a3e9470e5840720c0be5af8b899da
Instruction Fuzzy Hash: FF328BB4900618DBCF14EF94C885BEEB7B9BF84304F148459E846BB292D735AE49CF51

Function 0096676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00966766,?,?,00000008,?,?,0096FEFE,00000000), ref: 00966998

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b6a06dcd850eebd5b29a490e44a88c0f669b19cce84fbb9fc952fc497d8cfbb7
Instruction ID: a1be85ffcf21eba59ec2a1130b3a1d5c28cd5e190f99b813a03e4b95c3ec7c80
Opcode Fuzzy Hash: b6a06dcd850eebd5b29a490e44a88c0f669b19cce84fbb9fc952fc497d8cfbb7
Instruction Fuzzy Hash: 64B11A71610609DFD719CF28C48AB657BE0FF45364F298658E8D9CF2A2C735E991CB40

Function 0094B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0098851F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1ccc854eaf70d670a17d4d3275d57986052ca81e0a81a0b938e1d53e08b8978d
Instruction ID: fc1c5243556d8793644011c39d9b3ce148f6d798abef29c18550de83965824d0
Opcode Fuzzy Hash: 1ccc854eaf70d670a17d4d3275d57986052ca81e0a81a0b938e1d53e08b8978d
Instruction Fuzzy Hash: 26124F759002299FCB24DF58C890BEEB7B5FF48710F54819AE849EB255DB349E81CFA0

Function 009AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 009AEABD

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f8b59d60d684ef99188f012925884165c4588a1ce4930a0d19ee5b6a49c77f44
Instruction ID: da4b3ecdb2c7dd9bdcab79cc5b5938091dd218918dcf4db9c4bd2a96f9e288ee
Opcode Fuzzy Hash: f8b59d60d684ef99188f012925884165c4588a1ce4930a0d19ee5b6a49c77f44
Instruction Fuzzy Hash: E0E01A762102049FC710EF59D808E9ABBE9AF99760F00841AFD49DB351DA70AC408B91

Function 009509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009503EE), ref: 009509DA

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d7aea61d78d2e76dc685ca3c65a310f3a91099e58f6e2f1cabdb26393fcff784
Instruction ID: 3f730be300549a7c87f62c2950f5a8d1e9e904c26257c4fb33ab0d0ab28f158e
Opcode Fuzzy Hash: d7aea61d78d2e76dc685ca3c65a310f3a91099e58f6e2f1cabdb26393fcff784
Instruction Fuzzy Hash:

Function 0095781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0095798B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 3d6e6147af1f8d94a500bd569669e0540e3a861d234873b5358d73fd0dfce012
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: C051376160C6056BDB38C5EBB8A97BFE38D9B52342F180909DE86D7282C615DF0DD362

Function 00966DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f3ca0f149e75f2cd28a05d3b73a2032687310618817b2b8fc1d6554dda20c6
Instruction ID: 643edf8f93cedc7a737486dd50bacb117df6d7bdf5d8876a561e1aff16e98b40
Opcode Fuzzy Hash: e8f3ca0f149e75f2cd28a05d3b73a2032687310618817b2b8fc1d6554dda20c6
Instruction Fuzzy Hash: 29320222D6EF414DD7239634C822336A349AFB73C9F25D727F82AB59A5EB29C4C35100

Function 0094CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc66d7ef82ce91cc3e74f707d3daa95d4345a0bdf2523eb78cc407c5029d557
Instruction ID: 38459388afd37987a6de92ecc52783a8a2d369f8a78c227309229f99afd4bf27
Opcode Fuzzy Hash: 7fc66d7ef82ce91cc3e74f707d3daa95d4345a0bdf2523eb78cc407c5029d557
Instruction Fuzzy Hash: A73239F1A041058FDF28EF28C4E4A7D77A9EB45302F28896AD599DB391D338DD81DB60

Function 00937920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1001b592e2f02b7448ca379d33609296a70cdfb9e287a2fd608da35e6d9af834
Instruction ID: cb1001ab42c6fee24571bbbd09e505565f543dfe772fcd2839a7db5e5e38e3a6
Opcode Fuzzy Hash: 1001b592e2f02b7448ca379d33609296a70cdfb9e287a2fd608da35e6d9af834
Instruction Fuzzy Hash: B3228EB1A0460ADFDF14CFA4C881BAEF7B5FF44300F248529E816A7291EB79A955CF50

Function 009391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c04fc59210bcd921dd8813feae496f00994c277386722e74041bda9c9ff2f2
Instruction ID: 1335007f78002541ad4292a9c7f8d51c8cbd8d0a48ed408c34d303de2f3fe809
Opcode Fuzzy Hash: 44c04fc59210bcd921dd8813feae496f00994c277386722e74041bda9c9ff2f2
Instruction Fuzzy Hash: A802B6B1E0010AEBDB05DF54D881BAEB7B5FF48300F50C569E81A9B291EB75AE14CF91

Function 00969EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2435140178f472a0dff2ea81631786f8a482fe8b1c8de305dd62df756fe414cc
Instruction ID: 772a13b23ebb32be43b52f87eb00e515a768949f9b4ae471951cfe5c9deff33f
Opcode Fuzzy Hash: 2435140178f472a0dff2ea81631786f8a482fe8b1c8de305dd62df756fe414cc
Instruction Fuzzy Hash: EBB1EE20D7AF414DC22396398921336F75CAFBB6D6B92D71BFC2674D22EB2286C35141

Function 00951C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: c991c94bb0df036bb6f21f4798a6b4676e9055479d65b020361f170e11dadfb6
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 169165721080A34ADB29C63B857567EFFF55A923A371A079DDCF2CA1C1EE14895CD720

Function 00951F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7281c36365f0c64e517dbe46be980bc1c02279879b3a8c3aadbc7d7ecb6d5070
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: BD91427220D0A349DB69833B857413EFEE55A933A371A079DDCF2CA1C5EE24855CD720

Function 009519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 22de606cc16db06cf193523769104b57e20ba2f5ce0a817c399d20d5927762bc
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 7F9173722090A34ADB2E827B957423DFFE55A923A371A079ED8F2CA1C5FE14C55CD720

Function 00957A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae3b8361b2b27ee59a90da09b81bf58bc2460ad6999d6a41293dece6c9ab8cc
Instruction ID: 6b4298dc958e40a1b969f619d7d4ab3822572a260f3168f20bc5e2b4d13685ca
Opcode Fuzzy Hash: 9ae3b8361b2b27ee59a90da09b81bf58bc2460ad6999d6a41293dece6c9ab8cc
Instruction Fuzzy Hash: FA61567160870956EA34DAEBB895BBFE39CDF81303F140D19EC82DB281DA159F4E8315

Function 00957CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f77d25ab306e0ed3e15a1344099ca130c5c158cb31bb23f13ddc3f843fd59c3
Instruction ID: 66c14c6d399364fac76e2ecea15c195031053b6df4a4e28a8f480167cbed4340
Opcode Fuzzy Hash: 2f77d25ab306e0ed3e15a1344099ca130c5c158cb31bb23f13ddc3f843fd59c3
Instruction Fuzzy Hash: CB61596120870966DA34CAEB7856BBFE3AC9F42703F100D59EC42DB2D1E6169F4EC355

Function 00951706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 938fed9171694ccba1c2d19f2bede81f78851aeb96561cd1561feef700d0eef6
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: C88176765080A30ADB2DC23F853467EFFE55A923A371A079ED8F2CA1C1EE14995CD720

Function 009A2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf460974d914bbc93eb6492494ab218569344f5909d4113ea4336853546b4440
Instruction ID: 1df6f3b9d1fc2b1eedda0bfc2d4632683a3c91fa21d99d853039ae58c5920575
Opcode Fuzzy Hash: cf460974d914bbc93eb6492494ab218569344f5909d4113ea4336853546b4440
Instruction Fuzzy Hash: EE21A5326206158BD728CF79C82677A73E9AB54310F15862EE4A7C37D1DE7AA905CB80

Function 009B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009B2B30
DeleteObject.GDI32(00000000), ref: 009B2B43
DestroyWindow.USER32 ref: 009B2B52
GetDesktopWindow.USER32 ref: 009B2B6D
GetWindowRect.USER32(00000000), ref: 009B2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 009B2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 009B2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2CF8
GetClientRect.USER32(00000000,?), ref: 009B2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009B2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2D80
GlobalLock.KERNEL32(00000000), ref: 009B2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2D98
GlobalUnlock.KERNEL32(00000000), ref: 009B2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2DA8
GlobalFree.KERNEL32(00000000), ref: 009B2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,009CFC38,00000000), ref: 009B2DDB
GlobalFree.KERNEL32(00000000), ref: 009B2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 009B2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 009B2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009B303F

Strings

AutoIt v3, xrefs: 009B2CF2
DISPLAY, xrefs: 009B2EA2
static, xrefs: 009B2D3A, 009B2E91
, xrefs: 009B2FC5

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8e490b37cf7d302b8048df0173533c7ae6ae6d9bb0cb357c9c709a260be07986
Instruction ID: 1174dadeb981bc4c00399d0bff781814eb4a2af251c25534a9f435337bf8fb2e
Opcode Fuzzy Hash: 8e490b37cf7d302b8048df0173533c7ae6ae6d9bb0cb357c9c709a260be07986
Instruction Fuzzy Hash: 32027EB5910219AFDB14DFA4CD89EAE7BB9EF49310F048558F919AB2A1CB34DD01CF60

Function 009C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009C712F
GetSysColorBrush.USER32(0000000F), ref: 009C7160
GetSysColor.USER32(0000000F), ref: 009C716C
SetBkColor.GDI32(?,000000FF), ref: 009C7186
SelectObject.GDI32(?,?), ref: 009C7195
InflateRect.USER32(?,000000FF,000000FF), ref: 009C71C0
GetSysColor.USER32(00000010), ref: 009C71C8
CreateSolidBrush.GDI32(00000000), ref: 009C71CF
FrameRect.USER32(?,?,00000000), ref: 009C71DE
DeleteObject.GDI32(00000000), ref: 009C71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 009C7230
FillRect.USER32(?,?,?), ref: 009C7262
GetWindowLongW.USER32(?,000000F0), ref: 009C7284

Part of subcall function 009C73E8: GetSysColor.USER32(00000012), ref: 009C7421
Part of subcall function 009C73E8: SetTextColor.GDI32(?,?), ref: 009C7425
Part of subcall function 009C73E8: GetSysColorBrush.USER32(0000000F), ref: 009C743B
Part of subcall function 009C73E8: GetSysColor.USER32(0000000F), ref: 009C7446
Part of subcall function 009C73E8: GetSysColor.USER32(00000011), ref: 009C7463
Part of subcall function 009C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009C7471
Part of subcall function 009C73E8: SelectObject.GDI32(?,00000000), ref: 009C7482
Part of subcall function 009C73E8: SetBkColor.GDI32(?,00000000), ref: 009C748B
Part of subcall function 009C73E8: SelectObject.GDI32(?,?), ref: 009C7498
Part of subcall function 009C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009C74B7
Part of subcall function 009C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009C74CE
Part of subcall function 009C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009C74DB

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b1809f9f8dcbcd6d433584fbedd61900ae2f4ef1b31c9cca0a416c365c256417
Instruction ID: df98e650fd10c76301cfe6215aecc376c85084fecf2bd861acf180d4e6b93759
Opcode Fuzzy Hash: b1809f9f8dcbcd6d433584fbedd61900ae2f4ef1b31c9cca0a416c365c256417
Instruction Fuzzy Hash: B3A1A1B281C301AFDB009FA0DC48F5BBBA9FB49321F140A19F966961E1D734E944DF52

Function 00948D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00948E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00986AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00986AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00986F43

Part of subcall function 00948F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00948BE8,?,00000000,?,?,?,?,00948BBA,00000000,?), ref: 00948FC5

SendMessageW.USER32(?,00001053), ref: 00986F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00986F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00986FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00986FB7

Strings

0, xrefs: 00986DCF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 6f9189851e2edc2ef78e0f3deb070c18bb434bf7cc18716cfc444b43d1a39f48
Instruction ID: 9a268000636b58fce3affad7e7fdae1e8908079eb88718007bc26837c7ffe4b8
Opcode Fuzzy Hash: 6f9189851e2edc2ef78e0f3deb070c18bb434bf7cc18716cfc444b43d1a39f48
Instruction Fuzzy Hash: 58129A70604201EFDB25EF24C994FAABBE9FB44300F144469F5899B762CB35EC92DB91

Function 009B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009B273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009B286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009B28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009B28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 009B2900
GetClientRect.USER32(00000000,?), ref: 009B290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 009B2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009B2964
GetStockObject.GDI32(00000011), ref: 009B2974
SelectObject.GDI32(00000000,00000000), ref: 009B2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 009B2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009B2991
DeleteDC.GDI32(00000000), ref: 009B299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009B29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009B29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 009B2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009B2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 009B2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 009B2A77
GetStockObject.GDI32(00000011), ref: 009B2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009B2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 009B2A97

Strings

AutoIt v3, xrefs: 009B28F8
msctls_progress32, xrefs: 009B2A13
DISPLAY, xrefs: 009B295A
static, xrefs: 009B294F, 009B2A71

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 15d19508b3181672d0befc0fbfce0407e0c4c380eea9419d537b6b19471bd1b2
Instruction ID: a184b87e5634c2e6ec9cf29e6bd4ed6afafb5979b996b1188bedce15d3c9d4fb
Opcode Fuzzy Hash: 15d19508b3181672d0befc0fbfce0407e0c4c380eea9419d537b6b19471bd1b2
Instruction Fuzzy Hash: 1BB14EB1A10219AFEB14DFA9CD89FAE7BA9EB48710F004114F915EB290D774ED41CFA4

Function 009A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009A4AED
GetDriveTypeW.KERNEL32(?,009CCB68,?,\\.\,009CCC08), ref: 009A4BCA
SetErrorMode.KERNEL32(00000000,009CCB68,?,\\.\,009CCC08), ref: 009A4D36

Strings

SAS, xrefs: 009A4CC9
CDROM, xrefs: 009A4BFB
Virtual, xrefs: 009A4CE5
\\.\, xrefs: 009A4B3F
SATA, xrefs: 009A4CD0
RAID, xrefs: 009A4CBB
USB, xrefs: 009A4CB4
iSCSI, xrefs: 009A4CC2
SCSI, xrefs: 009A4C8A
ATA, xrefs: 009A4C98
Network, xrefs: 009A4C02
MMC, xrefs: 009A4CDE
SSD, xrefs: 009A4C4A
ATAPI, xrefs: 009A4C91
Fibre, xrefs: 009A4CAD
1394, xrefs: 009A4C9F
FileBackedVirtual, xrefs: 009A4CEC
PhysicalDrive, xrefs: 009A4B76
Removable, xrefs: 009A4C10, 009A4C15
RAMDisk, xrefs: 009A4BF4
Unknown, xrefs: 009A4BED, 009A4C83
Fixed, xrefs: 009A4C09
SSA, xrefs: 009A4CA6

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 6ac4315cedb923e6ad4b21c7779c8c9f63a703d730041b2d0b540639e83bdaec
Instruction ID: 0115ef2a4560cf94cf7698387e70fef9a1c7009184d922ada2dba813dcbd1f0d
Opcode Fuzzy Hash: 6ac4315cedb923e6ad4b21c7779c8c9f63a703d730041b2d0b540639e83bdaec
Instruction Fuzzy Hash: C1610530605309DBCB04DF28C981EBC77B0ABC6354B248815F98EAB691DBB9ED41DBD1

Function 009C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 009C7421
SetTextColor.GDI32(?,?), ref: 009C7425
GetSysColorBrush.USER32(0000000F), ref: 009C743B
GetSysColor.USER32(0000000F), ref: 009C7446
CreateSolidBrush.GDI32(?), ref: 009C744B
GetSysColor.USER32(00000011), ref: 009C7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 009C7471
SelectObject.GDI32(?,00000000), ref: 009C7482
SetBkColor.GDI32(?,00000000), ref: 009C748B
SelectObject.GDI32(?,?), ref: 009C7498
InflateRect.USER32(?,000000FF,000000FF), ref: 009C74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009C74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009C74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009C752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009C7554
InflateRect.USER32(?,000000FD,000000FD), ref: 009C7572
DrawFocusRect.USER32(?,?), ref: 009C757D
GetSysColor.USER32(00000011), ref: 009C758E
SetTextColor.GDI32(?,00000000), ref: 009C7596
DrawTextW.USER32(?,009C70F5,000000FF,?,00000000), ref: 009C75A8
SelectObject.GDI32(?,?), ref: 009C75BF
DeleteObject.GDI32(?), ref: 009C75CA
SelectObject.GDI32(?,?), ref: 009C75D0
DeleteObject.GDI32(?), ref: 009C75D5
SetTextColor.GDI32(?,?), ref: 009C75DB
SetBkColor.GDI32(?,?), ref: 009C75E5

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f741d957e1f8bfc148eda4a4cbac805315d06c252bf5c52aac0f5f8095170f7d
Instruction ID: d0763ba2fe8908342abe330f32e4a2cd6923d06dab27d963e85b04bd57a49baf
Opcode Fuzzy Hash: f741d957e1f8bfc148eda4a4cbac805315d06c252bf5c52aac0f5f8095170f7d
Instruction Fuzzy Hash: AC615BB2D08218AFDF019FA4DC49EEEBFB9EB08320F154515F915AB2A2D7749940DF90

Function 009C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009C1128
GetDesktopWindow.USER32 ref: 009C113D
GetWindowRect.USER32(00000000), ref: 009C1144
GetWindowLongW.USER32(?,000000F0), ref: 009C1199
DestroyWindow.USER32(?), ref: 009C11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009C11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009C120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009C121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 009C1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 009C1245
IsWindowVisible.USER32(00000000), ref: 009C12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009C12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009C12D0
GetWindowRect.USER32(00000000,?), ref: 009C12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 009C130E
GetMonitorInfoW.USER32(00000000,?), ref: 009C1328
CopyRect.USER32(?,?), ref: 009C133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009C13AA

Strings

tooltips_class32, xrefs: 009C11E6
(, xrefs: 009C131B
0, xrefs: 009C10D3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6459991d6078b0a0683fe53f2d050f125cf3f1b8be616ea1bccb550427de00bd
Instruction ID: c504649a986ab7a639fe72a3d640744e656d9aaee8336ca4ff1c664a272d903e
Opcode Fuzzy Hash: 6459991d6078b0a0683fe53f2d050f125cf3f1b8be616ea1bccb550427de00bd
Instruction Fuzzy Hash: 32B17971A08341AFD714DF64C984F6ABBE4EF85354F00891CF9999B2A2C771E844CFA6

Function 009C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009C02E5
_wcslen.LIBCMT ref: 009C031F
_wcslen.LIBCMT ref: 009C0389
_wcslen.LIBCMT ref: 009C03F1
_wcslen.LIBCMT ref: 009C0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009C04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009C0504

Part of subcall function 0094F9F2: _wcslen.LIBCMT ref: 0094F9FD

Part of subcall function 0099223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00992258
Part of subcall function 0099223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0099228A

Strings

SELECTCLEAR, xrefs: 009C052D
ISSELECTED, xrefs: 009C04DD
GETSUBITEMCOUNT, xrefs: 009C0384, 009C039F
GETSELECTED, xrefs: 009C05E1
VIEWCHANGE, xrefs: 009C0675
DESELECT, xrefs: 009C059C
SELECTINVERT, xrefs: 009C057E
GETITEMCOUNT, xrefs: 009C0316, 009C0337
GETSELECTEDCOUNT, xrefs: 009C0470, 009C048B
SELECT, xrefs: 009C0548
GETTEXT, xrefs: 009C03EC, 009C0407
FINDITEM, xrefs: 009C0627
SELECTALL, xrefs: 009C0515

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 9ef3972a287eaf46091005794e9592e3cd83a3723ced4b0d13a88b3f50890106
Instruction ID: b5ea62041c5b3f5eb4c05ecf6070a049ad8eaf406b761079af46ff7daa3bad49
Opcode Fuzzy Hash: 9ef3972a287eaf46091005794e9592e3cd83a3723ced4b0d13a88b3f50890106
Instruction Fuzzy Hash: 0AE18C31608341DBCB28DF28C551E2AB7EABFC8714F144A5CF8969B2A1DB30ED45CB52

Function 00948891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00948968
GetSystemMetrics.USER32(00000007), ref: 00948970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0094899B
GetSystemMetrics.USER32(00000008), ref: 009489A3
GetSystemMetrics.USER32(00000004), ref: 009489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00948A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00948A3C
GetClientRect.USER32(00000000,000000FF), ref: 00948A5A
GetStockObject.GDI32(00000011), ref: 00948A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00948A81

Part of subcall function 0094912D: GetCursorPos.USER32(?), ref: 00949141
Part of subcall function 0094912D: ScreenToClient.USER32(00000000,?), ref: 0094915E
Part of subcall function 0094912D: GetAsyncKeyState.USER32(00000001), ref: 00949183
Part of subcall function 0094912D: GetAsyncKeyState.USER32(00000002), ref: 0094919D

SetTimer.USER32(00000000,00000000,00000028,009490FC), ref: 00948AA8

Strings

AutoIt v3 GUI, xrefs: 00948A20

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4a838798a377b187ac189bc6f292011159b3e9ef949b621049f98d2fac3f24b5
Instruction ID: 8e63db333461db076bbb658dbb64d53e9f17dc50e7186a31c73dbaddfafb138e
Opcode Fuzzy Hash: 4a838798a377b187ac189bc6f292011159b3e9ef949b621049f98d2fac3f24b5
Instruction Fuzzy Hash: 67B16D71A0420AAFDB14DFA8DD45FEE3BB5FB48314F104229FA19AB290DB74E941CB51

Function 00990D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00991114
Part of subcall function 009910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991120
Part of subcall function 009910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 0099112F
Part of subcall function 009910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991136
Part of subcall function 009910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0099114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00990DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00990E29
GetLengthSid.ADVAPI32(?), ref: 00990E40
GetAce.ADVAPI32(?,00000000,?), ref: 00990E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00990E96
GetLengthSid.ADVAPI32(?), ref: 00990EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00990EB5
HeapAlloc.KERNEL32(00000000), ref: 00990EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00990EDD
CopySid.ADVAPI32(00000000), ref: 00990EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00990F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00990F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00990F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990F6E
HeapFree.KERNEL32(00000000), ref: 00990F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990F7E
HeapFree.KERNEL32(00000000), ref: 00990F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00990F8E
HeapFree.KERNEL32(00000000), ref: 00990F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00990FA1
HeapFree.KERNEL32(00000000), ref: 00990FA8

Part of subcall function 00991193: GetProcessHeap.KERNEL32(00000008,00990BB1,?,00000000,?,00990BB1,?), ref: 009911A1
Part of subcall function 00991193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00990BB1,?), ref: 009911A8
Part of subcall function 00991193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00990BB1,?), ref: 009911B7

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5152ca5c9ace3485fb28ae36e0b6d232b268cca0a382521ea6ba4faff36fbdb1
Instruction ID: 59066e9cc72646495ef7bd98fad698301600eb2b81b12afe90d39f849dc57257
Opcode Fuzzy Hash: 5152ca5c9ace3485fb28ae36e0b6d232b268cca0a382521ea6ba4faff36fbdb1
Instruction Fuzzy Hash: C67146B2D0420AAFDF20DFA9DC48FAEBBBCFF44301F048115E929A6191D7319A05CB60

Function 009BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009BC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,009CCC08,00000000,?,00000000,?,?), ref: 009BC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 009BC5A4
_wcslen.LIBCMT ref: 009BC5F4
_wcslen.LIBCMT ref: 009BC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 009BC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 009BC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 009BC84D
RegCloseKey.ADVAPI32(?), ref: 009BC881
RegCloseKey.ADVAPI32(00000000), ref: 009BC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 009BC960

Strings

REG_DWORD, xrefs: 009BC804
REG_QWORD, xrefs: 009BC8C3
REG_BINARY, xrefs: 009BC913
REG_EXPAND_SZ, xrefs: 009BC5CD
REG_MULTI_SZ, xrefs: 009BC6F5
REG_SZ, xrefs: 009BC644

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ea08aa40461397bf6c10277f108056202e16c9253033b26a3d96d9525f2bb695
Instruction ID: 08f23e1a2495a485aa82537208e2489a1ed8495ac59cece24754f184ea7fc143
Opcode Fuzzy Hash: ea08aa40461397bf6c10277f108056202e16c9253033b26a3d96d9525f2bb695
Instruction Fuzzy Hash: 931259B56082019FDB14DF15C991B6AB7E5EF88724F04885DF88A9B3A2DB31ED41CF81

Function 009C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009C09C6
_wcslen.LIBCMT ref: 009C0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009C0A54
_wcslen.LIBCMT ref: 009C0A8A
_wcslen.LIBCMT ref: 009C0B06
_wcslen.LIBCMT ref: 009C0B81

Part of subcall function 0094F9F2: _wcslen.LIBCMT ref: 0094F9FD

Part of subcall function 00992BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00992BFA

Strings

UNCHECK, xrefs: 009C0D3E
EXISTS, xrefs: 009C0B7C, 009C0B97
GETTOTALCOUNT, xrefs: 009C09F2, 009C0A17
ISCHECKED, xrefs: 009C0CE1
CHECK, xrefs: 009C0A85, 009C0AA0
EXPAND, xrefs: 009C0BF8
GETITEMCOUNT, xrefs: 009C0C1E
SELECT, xrefs: 009C0D11
GETTEXT, xrefs: 009C0C97
COLLAPSE, xrefs: 009C0B01, 009C0B1C
GETSELECTED, xrefs: 009C0C4E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 1c00da603d09de866e3dca9e33fb922538a2379e05c0e60d87f805314c895de8
Instruction ID: 975fe49c096d3e38aa937c7e5bb3ed67dc4546f3c0e30a37da52d2ccd013b50b
Opcode Fuzzy Hash: 1c00da603d09de866e3dca9e33fb922538a2379e05c0e60d87f805314c895de8
Instruction Fuzzy Hash: 0BE17835A08701DFCB14DF69C450A2AB7E5BFD8318F10895CF8969B2A2D730ED45CB92

Function 009BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009BB6AE,?,?), ref: 009BC9B5
_wcslen.LIBCMT ref: 009BC9F1
_wcslen.LIBCMT ref: 009BCA68
_wcslen.LIBCMT ref: 009BCA9E
_wcslen.LIBCMT ref: 009BCAF9
_wcslen.LIBCMT ref: 009BCB2F
_wcslen.LIBCMT ref: 009BCB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 009BCB79, 009BCB7E
HKEY_USERS, xrefs: 009BCBDF
HKCU, xrefs: 009BCBCE
HKLM, xrefs: 009BCA98, 009BCA9D
HKEY_CURRENT_USER, xrefs: 009BCBBD
HKCC, xrefs: 009BCBAC
HKEY_CLASSES_ROOT, xrefs: 009BCAF3, 009BCAF8
HKEY_LOCAL_MACHINE, xrefs: 009BCA62, 009BCA67
HKCR, xrefs: 009BCB29, 009BCB2E
HKU, xrefs: 009BCBF0

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 656fee900613aa9eb0234d2b0136e117d69cc1948600c5d633fb63876cc782b1
Instruction ID: fe915920b66b6bc746a600d14bd831ec74b4c0b1f2ccc469d51ba70553f1ef29
Opcode Fuzzy Hash: 656fee900613aa9eb0234d2b0136e117d69cc1948600c5d633fb63876cc782b1
Instruction Fuzzy Hash: 787108B261012A8BCB20DE7CCE516FF7799AFA0774F210528FC95AB284E635DD45C3A0

Function 009C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009C835A
_wcslen.LIBCMT ref: 009C836E
_wcslen.LIBCMT ref: 009C8391
_wcslen.LIBCMT ref: 009C83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009C83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009C5BF2), ref: 009C844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009C8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009C84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009C8501
FreeLibrary.KERNEL32(?), ref: 009C850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009C851D
DestroyIcon.USER32(?,?,?,?,?,009C5BF2), ref: 009C852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009C8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009C8555

Strings

.dll, xrefs: 009C83AB
.exe, xrefs: 009C8388
.icl, xrefs: 009C8368

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a6ded413befc2797e920e93579ec50a0ab52d6d0a7e314816d7da658749253db
Instruction ID: ba9eb42533868595ee91fbfcd49de174e8a796686224dc44fad671f420a9c0a7
Opcode Fuzzy Hash: a6ded413befc2797e920e93579ec50a0ab52d6d0a7e314816d7da658749253db
Instruction Fuzzy Hash: 3561F1B1904219BAEB18DF64CC41FBF7BACBB44B11F10454AF815D60E1DBB4AA80DBA0

Function 00937778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0093785F, 009378B1
#comments-end, xrefs: 009378D9
#include-once, xrefs: 0093782F
#requireadmin, xrefs: 009377FF
#ce, xrefs: 009378ED
", xrefs: 00975153
#notrayicon, xrefs: 009377E7
#include, xrefs: 00937847
#OnAutoItStartRegister, xrefs: 00937817
Cannot parse #include, xrefs: 00975279
#pragma compile, xrefs: 009377D3
', xrefs: 00975169
Bad directive syntax error, xrefs: 0097519A
#cs, xrefs: 00937873, 009378C5
Unterminated group of comments, xrefs: 0097528C

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e89505a4190795692cab3f15a578ac319fa9260ee1cf03e728d0249e2cfabd7a
Instruction ID: 456f87eebf2df2b74a4e4a2f7d8ead7745b7255b7439e6c2eedbd228a21f7bc3
Opcode Fuzzy Hash: e89505a4190795692cab3f15a578ac319fa9260ee1cf03e728d0249e2cfabd7a
Instruction Fuzzy Hash: 80810BB1A44605BBDB20AFA0CC53FAF77A9AF95300F054424FD09BB196EBB0D915CB91

Function 009A3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 009A3EF8
_wcslen.LIBCMT ref: 009A3F03
_wcslen.LIBCMT ref: 009A3F5A
_wcslen.LIBCMT ref: 009A3F98
GetDriveTypeW.KERNEL32(?), ref: 009A3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009A401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009A4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009A4087

Strings

close cd wait, xrefs: 009A4072
open, xrefs: 009A3F54, 009A3F59
set cd door , xrefs: 009A4028
wait, xrefs: 009A4044
open , xrefs: 009A3FE5
closed, xrefs: 009A3F08, 009A3F2D, 009A3F46, 009A3F7E, 009A3F97
type cdaudio alias cd wait, xrefs: 009A4001
close, xrefs: 009A3EFE, 009A3F18

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: bcaa8ee43aca36a1481b680059d89b755ac2d98e027461fd05ecda5a407b3b34
Instruction ID: 4d468b4b95330962d0052c41935ee2307cbda156401d34361daacd8489640d5d
Opcode Fuzzy Hash: bcaa8ee43aca36a1481b680059d89b755ac2d98e027461fd05ecda5a407b3b34
Instruction Fuzzy Hash: 4771DE72A083119FC710EF24C88196AB7F8EFD5758F10892DFA9697251EB30ED45CB91

Function 00995A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00995A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00995A40
SetWindowTextW.USER32(?,?), ref: 00995A57
GetDlgItem.USER32(?,000003EA), ref: 00995A6C
SetWindowTextW.USER32(00000000,?), ref: 00995A72
GetDlgItem.USER32(?,000003E9), ref: 00995A82
SetWindowTextW.USER32(00000000,?), ref: 00995A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00995AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00995AC3
GetWindowRect.USER32(?,?), ref: 00995ACC
_wcslen.LIBCMT ref: 00995B33
SetWindowTextW.USER32(?,?), ref: 00995B6F
GetDesktopWindow.USER32 ref: 00995B75
GetWindowRect.USER32(00000000), ref: 00995B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00995BD3
GetClientRect.USER32(?,?), ref: 00995BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00995C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00995C2F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: a8607fe706d0619e0b8640b0c8e87169928dd1a1acc12f7c18000ee040efb1cf
Instruction ID: 29f117a3ef02c43bb844f828080620af3b4eb30d2595524acb5eb19c189d3efe
Opcode Fuzzy Hash: a8607fe706d0619e0b8640b0c8e87169928dd1a1acc12f7c18000ee040efb1cf
Instruction Fuzzy Hash: DA716971900B09AFDB21DFA8CE85EAFBBF9FF48704F114918E586A25A0D775E940CB10

Function 009AFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 009AFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 009AFE32
LoadCursorW.USER32(00000000,00007F00), ref: 009AFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 009AFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 009AFE53
LoadCursorW.USER32(00000000,00007F01), ref: 009AFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 009AFE69
LoadCursorW.USER32(00000000,00007F88), ref: 009AFE74
LoadCursorW.USER32(00000000,00007F80), ref: 009AFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 009AFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 009AFE95
LoadCursorW.USER32(00000000,00007F85), ref: 009AFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 009AFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 009AFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 009AFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 009AFECC
GetCursorInfo.USER32(?), ref: 009AFEDC
GetLastError.KERNEL32 ref: 009AFF1E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: c170ba5daae6313251c528ca4a0ee19416ab0db77a0b779911b2fd38add37a9a
Instruction ID: 7a615370ce9cf91f5ea5f032b988b08e942c1e3727c16c71d3a087a687f9a5f7
Opcode Fuzzy Hash: c170ba5daae6313251c528ca4a0ee19416ab0db77a0b779911b2fd38add37a9a
Instruction Fuzzy Hash: DD4142B0D083196EDB109FBA8C89C5EBFE8FF05754B54452AE11DE7281DB78A901CF91

Function 009500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009500C6

Part of subcall function 009500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A0070C,00000FA0,DC393021,?,?,?,?,009723B3,000000FF), ref: 0095011C
Part of subcall function 009500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009723B3,000000FF), ref: 00950127
Part of subcall function 009500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009723B3,000000FF), ref: 00950138
Part of subcall function 009500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0095014E
Part of subcall function 009500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0095015C
Part of subcall function 009500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0095016A
Part of subcall function 009500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00950195
Part of subcall function 009500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009501A0

___scrt_fastfail.LIBCMT ref: 009500E7

Part of subcall function 009500A3: __onexit.LIBCMT ref: 009500A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00950122
WakeAllConditionVariable, xrefs: 00950162
InitializeConditionVariable, xrefs: 00950148
SleepConditionVariableCS, xrefs: 00950154
kernel32.dll, xrefs: 00950133

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 9392213b4c7e27b85d26d498dd87b7bd190c9a2e60c39fc9e13758fb36f13a7b
Instruction ID: b884a8eb5ca183a92f5c323cff70e570eb4954bf36210aa67e030d8859fd5a59
Opcode Fuzzy Hash: 9392213b4c7e27b85d26d498dd87b7bd190c9a2e60c39fc9e13758fb36f13a7b
Instruction Fuzzy Hash: 6F212972E4CB016FD7109BB6AC15F6A3798EBC5B52F040129FC05A26D1DF7498048B92

Function 009930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0099318D
_wcslen.LIBCMT ref: 009931F8

Strings

INSTANCE, xrefs: 00993453
CLASSNN, xrefs: 009931F3, 00993204
NAME, xrefs: 00993335, 00993346
TEXT, xrefs: 0099347C
REGEXPCLASS, xrefs: 00993255, 00993266
CLASS, xrefs: 00993188, 009931A5

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1e15a12f10acb5b0c68ba64fbd44542f096f20565e038d79e28d9fb482f9d34f
Instruction ID: 5663df388006df29e060629be5605a15da129d83974888872b59367c59e66c25
Opcode Fuzzy Hash: 1e15a12f10acb5b0c68ba64fbd44542f096f20565e038d79e28d9fb482f9d34f
Instruction Fuzzy Hash: 80E1E532A00516ABCF28DFBCC4527EDBBB8BF94710F55C119E556E7250DB30AE858B90

Function 009A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,009CCC08), ref: 009A4527
_wcslen.LIBCMT ref: 009A453B
_wcslen.LIBCMT ref: 009A4599
_wcslen.LIBCMT ref: 009A45F4
_wcslen.LIBCMT ref: 009A463F
_wcslen.LIBCMT ref: 009A46A7

Part of subcall function 0094F9F2: _wcslen.LIBCMT ref: 0094F9FD

GetDriveTypeW.KERNEL32(?,009F6BF0,00000061), ref: 009A4743

Strings

cdrom, xrefs: 009A458F, 009A4594
fixed, xrefs: 009A4635, 009A463A
network, xrefs: 009A469D, 009A46A2
ramdisk, xrefs: 009A46F1
unknown, xrefs: 009A4708
removable, xrefs: 009A45EA, 009A45EF
all, xrefs: 009A4531, 009A4536

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 825c82a40ee355f104652da159a922c94b55050c99c5f3c2fe3bd732cf3bf7c7
Instruction ID: 3a610841c8cf7c9ac907425dac806e9aa0b654df10144118cdd1e1f4e1457bd1
Opcode Fuzzy Hash: 825c82a40ee355f104652da159a922c94b55050c99c5f3c2fe3bd732cf3bf7c7
Instruction Fuzzy Hash: 75B1F271A083029FC720DF28C891A7AB7E9BFE6764F50491DF496C7291E7B4D844CB92

Function 009B3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009CCC08), ref: 009B40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009B40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,009CCC08), ref: 009B40F2
FreeLibrary.KERNEL32(00000000,?,009CCC08), ref: 009B413E
StringFromGUID2.OLE32(?,?,00000028,?,009CCC08), ref: 009B41A8
SysFreeString.OLEAUT32(00000009), ref: 009B4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009B42C8
SysFreeString.OLEAUT32(?), ref: 009B42F2

Strings

GetModuleHandleExW, xrefs: 009B40C7
kernel32.dll, xrefs: 009B40B6

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: b34d7c7f0d329739fb37fd24c921545f4792b169c4665eecfe52336c984f7454
Instruction ID: 0273e088578c2aecdba086a29fa14fba794dafa7637326ed375aba98f093be80
Opcode Fuzzy Hash: b34d7c7f0d329739fb37fd24c921545f4792b169c4665eecfe52336c984f7454
Instruction Fuzzy Hash: 6E124E75A00115EFDB14DF54C984EAEBBB9FF45314F148098F9099B262D731ED42DBA0

Function 0093326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00A01990), ref: 00972F8D
GetMenuItemCount.USER32(00A01990), ref: 0097303D
GetCursorPos.USER32(?), ref: 00973081
SetForegroundWindow.USER32(00000000), ref: 0097308A
TrackPopupMenuEx.USER32(00A01990,00000000,?,00000000,00000000,00000000), ref: 0097309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009730A9

Strings

0, xrefs: 0093327D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: f558f833c43e7bd8c38172c7872e662826bb0c2f91a98fa12119d2fae6f38a1e
Instruction ID: fa39880908adc1bfedb65db351c61ddf9bfdec403f6e8087b9fac134b3ff5220
Opcode Fuzzy Hash: f558f833c43e7bd8c38172c7872e662826bb0c2f91a98fa12119d2fae6f38a1e
Instruction Fuzzy Hash: 8D712A71644205BFEB218F69CC49FAABF68FF45364F208216F5286A1E0C7B5AD10DB50

Function 009C6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 009C6DEB

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009C6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009C6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009C6E94
DestroyWindow.USER32(?), ref: 009C6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00930000,00000000), ref: 009C6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009C6EFD
GetDesktopWindow.USER32 ref: 009C6F16
GetWindowRect.USER32(00000000), ref: 009C6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009C6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009C6F4D

Part of subcall function 00949944: GetWindowLongW.USER32(?,000000EB), ref: 00949952

Strings

tooltips_class32, xrefs: 009C6E58, 009C6EDD
0, xrefs: 009C6D98

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 0e9e0e345d92344dcf8ed6795d23f6f0745fa66f24b5b5d1309fd2e39b118715
Instruction ID: e5b736d78d0d6c47c9f5c05b3a6072fbd9b11ae683d28d3ba5a7ba704b5b151c
Opcode Fuzzy Hash: 0e9e0e345d92344dcf8ed6795d23f6f0745fa66f24b5b5d1309fd2e39b118715
Instruction Fuzzy Hash: FF714874904245AFDB21CF58DC48FAABBF9FF89344F44481EF99987261C770A906DB12

Function 009C911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

DragQueryPoint.SHELL32(?,?), ref: 009C9147

Part of subcall function 009C7674: ClientToScreen.USER32(?,?), ref: 009C769A
Part of subcall function 009C7674: GetWindowRect.USER32(?,?), ref: 009C7710
Part of subcall function 009C7674: PtInRect.USER32(?,?,009C8B89), ref: 009C7720

SendMessageW.USER32(?,000000B0,?,?), ref: 009C91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009C91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009C91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009C9225
SendMessageW.USER32(?,000000B0,?,?), ref: 009C923E
SendMessageW.USER32(?,000000B1,?,?), ref: 009C9255
SendMessageW.USER32(?,000000B1,?,?), ref: 009C9277
DragFinish.SHELL32(?), ref: 009C927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009C9371

Strings

@GUI_DRAGFILE, xrefs: 009C9320
@GUI_DRAGID, xrefs: 009C92E9
@GUI_DROPID, xrefs: 009C929E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 1d9ea339d44fc7d99b64be683e5357afd2751b29b0b7ea67419f156cfdaf04ea
Instruction ID: 3d7f06e525a864c0b62c5dfd0a2c7b846f5ab6e74e18a3d75d67532b2d3f22de
Opcode Fuzzy Hash: 1d9ea339d44fc7d99b64be683e5357afd2751b29b0b7ea67419f156cfdaf04ea
Instruction Fuzzy Hash: B2617A71508301AFD701DF64DD89EAFBBE8EFC9750F00491EF596922A0DB709A49CB52

Function 009AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009AC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009AC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009AC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009AC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 009AC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009AC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009AC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009AC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009AC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009AC5F0
InternetCloseHandle.WININET(00000000), ref: 009AC5FB

Strings

, xrefs: 009AC575

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: ba023c2e304ac4923cc3c0fc9f648c74d48bdc088bcd6161125d854aa134c816
Instruction ID: ed98ece78364e0c0c0095acc53accc981da6f255ffe9ffe6bdb7326626a4b41a
Opcode Fuzzy Hash: ba023c2e304ac4923cc3c0fc9f648c74d48bdc088bcd6161125d854aa134c816
Instruction Fuzzy Hash: 78514DF1904605BFDB219F64C948EAB7BFCFF09754F005419F9499A610DB34EA44EBA0

Function 009C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 009C8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85BA
GlobalLock.KERNEL32(00000000), ref: 009C85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85D7
GlobalUnlock.KERNEL32(00000000), ref: 009C85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009C85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,009CFC38,?), ref: 009C8611
GlobalFree.KERNEL32(00000000), ref: 009C8621
GetObjectW.GDI32(?,00000018,?), ref: 009C8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 009C8671
DeleteObject.GDI32(?), ref: 009C8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009C86AF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: bb7f3d4ed63e2ef69f218a84322bd29bb0b67947be88bf556da53a56330b11a7
Instruction ID: 7212dbe977eda524c7d3aed4c76ef8a74d8ac7a11ba0e93ff9fa649f26dc13a1
Opcode Fuzzy Hash: bb7f3d4ed63e2ef69f218a84322bd29bb0b67947be88bf556da53a56330b11a7
Instruction Fuzzy Hash: A74149B1A00204AFDB118FA5CD48EAB7BBCFF89751F104058F919E7260DB709901DB21

Function 009A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 009A1502
VariantCopy.OLEAUT32(?,?), ref: 009A150B
VariantClear.OLEAUT32(?), ref: 009A1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009A15FB
VarR8FromDec.OLEAUT32(?,?), ref: 009A1657
VariantInit.OLEAUT32(?), ref: 009A1708
SysFreeString.OLEAUT32(?), ref: 009A178C
VariantClear.OLEAUT32(?), ref: 009A17D8
VariantClear.OLEAUT32(?), ref: 009A17E7
VariantInit.OLEAUT32(00000000), ref: 009A1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 009A1625
Default, xrefs: 009A16AF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: e65172f601d4bff77abc18af5310ae1283379cd53c13f50847facd6e0b7a21b8
Instruction ID: ab7f18c35ac2791aae641e04d410a22da94218a265a9c54fad58db28f7e4b34c
Opcode Fuzzy Hash: e65172f601d4bff77abc18af5310ae1283379cd53c13f50847facd6e0b7a21b8
Instruction Fuzzy Hash: 83D12071E04605EBDB009FA5E894B7DB7B5BF86700F11885AF44AAF190DB34EC40DBA2

Function 009BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 009BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009BB6AE,?,?), ref: 009BC9B5
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BC9F1
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA68
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009BB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009BB772
RegDeleteValueW.ADVAPI32(?,?), ref: 009BB80A
RegCloseKey.ADVAPI32(?), ref: 009BB87E
RegCloseKey.ADVAPI32(?), ref: 009BB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 009BB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009BB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 009BB922
FreeLibrary.KERNEL32(00000000), ref: 009BB983
RegCloseKey.ADVAPI32(00000000), ref: 009BB994

Strings

RegDeleteKeyExW, xrefs: 009BB8FE
advapi32.dll, xrefs: 009BB8ED

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 338f9ac52ed32e16195440c7f0d60a84aaf84a494daf151b7b9771a882ebd8aa
Instruction ID: 8cc8aca95863b100c6caf86ba598ee6a14d9a98ef25e9c1cb7483e850fd403ea
Opcode Fuzzy Hash: 338f9ac52ed32e16195440c7f0d60a84aaf84a494daf151b7b9771a882ebd8aa
Instruction Fuzzy Hash: 88C18A74208201AFD714DF14C594F6ABBE5BF84328F14849CE49A8B2A2CBB5ED45CF92

Function 009B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009B25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009B25E8
CreateCompatibleDC.GDI32(?), ref: 009B25F4
SelectObject.GDI32(00000000,?), ref: 009B2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 009B266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009B26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009B26D0
SelectObject.GDI32(?,?), ref: 009B26D8
DeleteObject.GDI32(?), ref: 009B26E1
DeleteDC.GDI32(?), ref: 009B26E8
ReleaseDC.USER32(00000000,?), ref: 009B26F3

Strings

(, xrefs: 009B268D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a15502bffa8ae5ef304ac69a91de1572b9d0c6a8a4ce41760a80376a6035be07
Instruction ID: aefa2a0029245dec7b8d3a6ba3b0f62d0316d4c7e3b2b38d1b0aaa996577d155
Opcode Fuzzy Hash: a15502bffa8ae5ef304ac69a91de1572b9d0c6a8a4ce41760a80376a6035be07
Instruction Fuzzy Hash: CE61E2B5D04219EFCF04CFA8D984EAEBBB5FF48310F24852AE959A7250D770A941DF60

Function 0096DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0096DAA1

Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D659
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D66B
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D67D
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D68F
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6A1
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6B3
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6C5
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6D7
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6E9
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D6FB
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D70D
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D71F
Part of subcall function 0096D63C: _free.LIBCMT ref: 0096D731

_free.LIBCMT ref: 0096DA96

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 0096DAB8
_free.LIBCMT ref: 0096DACD
_free.LIBCMT ref: 0096DAD8
_free.LIBCMT ref: 0096DAFA
_free.LIBCMT ref: 0096DB0D
_free.LIBCMT ref: 0096DB1B
_free.LIBCMT ref: 0096DB26
_free.LIBCMT ref: 0096DB5E
_free.LIBCMT ref: 0096DB65
_free.LIBCMT ref: 0096DB82
_free.LIBCMT ref: 0096DB9A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4cd5128abd74de95a371ab66b9219bf5a75c02b4f987bf4fe9d7477345ed0b92
Instruction ID: a3372abadcd3e47e0412aecd45d547c0c90b149e1510162d7f12447d6bfd5528
Opcode Fuzzy Hash: 4cd5128abd74de95a371ab66b9219bf5a75c02b4f987bf4fe9d7477345ed0b92
Instruction Fuzzy Hash: 3A315831B097049FEB25AB79E945B6AB7EDFF80350F154429E469D7191DB30EC808B20

Function 0099365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0099369C
_wcslen.LIBCMT ref: 009936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00993797
GetClassNameW.USER32(?,?,00000400), ref: 0099380C
GetDlgCtrlID.USER32(?), ref: 0099385D
GetWindowRect.USER32(?,?), ref: 00993882
GetParent.USER32(?), ref: 009938A0
ScreenToClient.USER32(00000000), ref: 009938A7
GetClassNameW.USER32(?,?,00000100), ref: 00993921
GetWindowTextW.USER32(?,?,00000400), ref: 0099395D

Strings

%s%u, xrefs: 00993734

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: c77c4d97eea253c56e8ff32400d0840ccb07ee3974d418348142c661429533b3
Instruction ID: 99fe115c063a53be29460e55d7ab711ed9a20cc912dabf2cd6837d14e10da36c
Opcode Fuzzy Hash: c77c4d97eea253c56e8ff32400d0840ccb07ee3974d418348142c661429533b3
Instruction Fuzzy Hash: 0691B271204606EFDB19DF69C885FAAF7ACFF44354F008629F99AD2190DB30EA45CB91

Function 00994954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00994994
GetWindowTextW.USER32(?,?,00000400), ref: 009949DA
_wcslen.LIBCMT ref: 009949EB
CharUpperBuffW.USER32(?,00000000), ref: 009949F7
_wcsstr.LIBVCRUNTIME ref: 00994A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00994A64
GetWindowTextW.USER32(?,?,00000400), ref: 00994A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00994AE6
GetClassNameW.USER32(?,?,00000400), ref: 00994B20
GetWindowRect.USER32(?,?), ref: 00994B8B

Strings

ThumbnailClass, xrefs: 00994A6F, 00994AF1

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 07708dc791dfc2adb1e6e2c13b255011eab0dbca0f44ee567ca4249201bb00bf
Instruction ID: 934c0d4284d1f1ad5ed26c5ec9735181032978724f720298fade347609f619e2
Opcode Fuzzy Hash: 07708dc791dfc2adb1e6e2c13b255011eab0dbca0f44ee567ca4249201bb00bf
Instruction Fuzzy Hash: FB919C710082069FDF06CF18C985FAA77ECEF84314F048469FD899A196EB34ED46CBA1

Function 009C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009C8D5A
GetFocus.USER32 ref: 009C8D6A
GetDlgCtrlID.USER32(00000000), ref: 009C8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 009C8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009C8ECF
GetMenuItemCount.USER32(?), ref: 009C8EEC
GetMenuItemID.USER32(?,00000000), ref: 009C8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009C8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009C8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009C8FA1

Strings

0, xrefs: 009C8E9F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 9d3521e9689ae9b1a737eef4e4845c58bfefb5b42a72a8ee4587ebda2521ffc9
Instruction ID: 2bd55b4d6167327e4f1e690d28a261faaeaebc34a863018e9bac649f68bc528b
Opcode Fuzzy Hash: 9d3521e9689ae9b1a737eef4e4845c58bfefb5b42a72a8ee4587ebda2521ffc9
Instruction Fuzzy Hash: 1281ACB1908301AFDB10DF24D984FABBBE9FB89354F14091DF98997291DB30D901DBA2

Function 0099BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00A01990,000000FF,00000000,00000030), ref: 0099BFAC
SetMenuItemInfoW.USER32(00A01990,00000004,00000000,00000030), ref: 0099BFE1
Sleep.KERNEL32(000001F4), ref: 0099BFF3
GetMenuItemCount.USER32(?), ref: 0099C039
GetMenuItemID.USER32(?,00000000), ref: 0099C056
GetMenuItemID.USER32(?,-00000001), ref: 0099C082
GetMenuItemID.USER32(?,?), ref: 0099C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0099C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0099C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0099C145

Strings

0, xrefs: 0099BF3D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 16f26ce46c0958495fb960d01bbc8da4115d114dc0801e10723fce08ab28795a
Instruction ID: ea0e84a15ceae98938a72435e694167ac94a5b0d8aa11c194eb012aecf17302d
Opcode Fuzzy Hash: 16f26ce46c0958495fb960d01bbc8da4115d114dc0801e10723fce08ab28795a
Instruction Fuzzy Hash: 5B61AEF090428AAFEF21CF68DD88EEE7BB8EB45344F044155F805A3292C735AD45DB61

Function 0099DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0099DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0099DC46
_wcslen.LIBCMT ref: 0099DC50
_wcsstr.LIBVCRUNTIME ref: 0099DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0099DCBC

Strings

DefaultLangCodepage, xrefs: 0099DD1F
%u.%u.%u.%u, xrefs: 0099DD9A
\VarFileInfo\Translation, xrefs: 0099DCB4
04090000, xrefs: 0099DCF2
StringFileInfo\, xrefs: 0099DC8F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: e9533772a01bac0fb048ea14d8f3b0727a2974fb1f3bd12b793b1bb5f1230fce
Instruction ID: 9fafe81dd1c901e8fdeb14720d6d5d48cf953c41c2a6c3a2e65c7d8e2e8b8e2c
Opcode Fuzzy Hash: e9533772a01bac0fb048ea14d8f3b0727a2974fb1f3bd12b793b1bb5f1230fce
Instruction Fuzzy Hash: 744143729002057AEB04AB799C43FBF3BACEF82751F100469F904B61C2EB74990087A1

Function 009BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009BCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 009BCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009BCD48

Part of subcall function 009BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 009BCCAA
Part of subcall function 009BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 009BCCBD
Part of subcall function 009BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009BCCCF
Part of subcall function 009BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009BCD05
Part of subcall function 009BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009BCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 009BCCF3

Strings

RegDeleteKeyExW, xrefs: 009BCCC9
advapi32.dll, xrefs: 009BCCB8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 337f1d61e5972a35d37c529048fa22699143b9b10e886f43de3ee31fff6b37f9
Instruction ID: bfe8a00f375709fc0a1648d597101bb61d998c84ca42d963a153cb160131f297
Opcode Fuzzy Hash: 337f1d61e5972a35d37c529048fa22699143b9b10e886f43de3ee31fff6b37f9
Instruction Fuzzy Hash: C93180B5D01129BBDB208B51DD88EFFBF7CEF95760F000569E909E2240D7349A45EBA0

Function 009A3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009A3D40
_wcslen.LIBCMT ref: 009A3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 009A3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009A3DBE
RemoveDirectoryW.KERNEL32(?), ref: 009A3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009A3E55
CloseHandle.KERNEL32(00000000), ref: 009A3E60
CloseHandle.KERNEL32(00000000), ref: 009A3E6B

Strings

:, xrefs: 009A3D82
\??\%s, xrefs: 009A3D5B
\, xrefs: 009A3D77

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 40af9b208f04cc1e3e7896ca4dd29345e7b372345231f6b9460e4b6ad7b92d3c
Instruction ID: da96d786e731501f5bcd05b88a2bf70a09302b55dc756896a81913841c380651
Opcode Fuzzy Hash: 40af9b208f04cc1e3e7896ca4dd29345e7b372345231f6b9460e4b6ad7b92d3c
Instruction Fuzzy Hash: BB31B2B2914209ABDB21DBA0DC49FEF3BBCEF89740F1080B5F919D60A0E77497448B64

Function 0099E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0099E6B4

Part of subcall function 0094E551: timeGetTime.WINMM(?,?,0099E6D4), ref: 0094E555

Sleep.KERNEL32(0000000A), ref: 0099E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0099E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0099E727
SetActiveWindow.USER32 ref: 0099E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0099E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0099E773
Sleep.KERNEL32(000000FA), ref: 0099E77E
IsWindow.USER32 ref: 0099E78A
EndDialog.USER32(00000000), ref: 0099E79B

Strings

BUTTON, xrefs: 0099E719

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: aa5bde28bb8fa10d0b5038f2a3f0ef80691186cc1bcc316a2a48757c40e1ceee
Instruction ID: 1a8d55dca32c33e94d5d4e2d2a1ba5da6ea64eebe82a61e9f208a2839fb872e9
Opcode Fuzzy Hash: aa5bde28bb8fa10d0b5038f2a3f0ef80691186cc1bcc316a2a48757c40e1ceee
Instruction Fuzzy Hash: B4218EB0618349AFEF00EFA8ED8DF263F6DF754749F140424F509821A1DB72AC42AB25

Function 0099E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0099EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0099EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0099EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0099EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0099EAA7

Strings

close PlayMe, xrefs: 0099EA6E, 0099EA9B
alias PlayMe, xrefs: 0099EA36
open , xrefs: 0099EA0C
play PlayMe wait, xrefs: 0099EA91
play PlayMe, xrefs: 0099EAA2
status PlayMe mode, xrefs: 0099EA58

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 5aa1f47bed618460edb89d7e010f0db0907919cd2274efb9b05f22142a9d37e7
Instruction ID: 974cde6430f869a1de13d0b042c9c9065ec08ed3d79a7a252dfead4e1b52918e
Opcode Fuzzy Hash: 5aa1f47bed618460edb89d7e010f0db0907919cd2274efb9b05f22142a9d37e7
Instruction Fuzzy Hash: 08117331A9131D79DB20E7A5DC4AEFF6ABCEBD1F44F404429B501A20D1EEB05D45CAB0

Function 00999F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0099A012
SetKeyboardState.USER32(?), ref: 0099A07D
GetAsyncKeyState.USER32(000000A0), ref: 0099A09D
GetKeyState.USER32(000000A0), ref: 0099A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0099A0E3
GetKeyState.USER32(000000A1), ref: 0099A0F4
GetAsyncKeyState.USER32(00000011), ref: 0099A120
GetKeyState.USER32(00000011), ref: 0099A12E
GetAsyncKeyState.USER32(00000012), ref: 0099A157
GetKeyState.USER32(00000012), ref: 0099A165
GetAsyncKeyState.USER32(0000005B), ref: 0099A18E
GetKeyState.USER32(0000005B), ref: 0099A19C

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: bd95eed095b20b2a6451d719fff3542935fcbd650e9821d2411cb2cbdf1cb6d6
Instruction ID: c1228eab876fef3242db9eb8dde64b5b25686915301688ebf3abb5f20682cf73
Opcode Fuzzy Hash: bd95eed095b20b2a6451d719fff3542935fcbd650e9821d2411cb2cbdf1cb6d6
Instruction Fuzzy Hash: 4551C9209087882AFF35DBAC89117EAFFB8DF52384F08459DD5C2571C2DA54AE4CC7A2

Function 00995CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00995CE2
GetWindowRect.USER32(00000000,?), ref: 00995CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00995D59
GetDlgItem.USER32(?,00000002), ref: 00995D69
GetWindowRect.USER32(00000000,?), ref: 00995D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00995DCF
GetDlgItem.USER32(?,000003E9), ref: 00995DDD
GetWindowRect.USER32(00000000,?), ref: 00995DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00995E31
GetDlgItem.USER32(?,000003EA), ref: 00995E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00995E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00995E67

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1b2c8c20ac26e7c17d0e1a8ead42d82ace6b8573eb7467b426c931692f84fbfc
Instruction ID: 52e4951da3688526df30dfef8b7c1d27faa35ddca04b769268e142519e519143
Opcode Fuzzy Hash: 1b2c8c20ac26e7c17d0e1a8ead42d82ace6b8573eb7467b426c931692f84fbfc
Instruction Fuzzy Hash: 4951FFB1E10605AFDF19CFA8DE89EAE7BB9FB48300F558129F519E6290D7709E04CB50

Function 00948BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00948F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00948BE8,?,00000000,?,?,?,?,00948BBA,00000000,?), ref: 00948FC5

DestroyWindow.USER32(?), ref: 00948C81
KillTimer.USER32(00000000,?,?,?,?,00948BBA,00000000,?), ref: 00948D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00986973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00948BBA,00000000,?), ref: 009869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00948BBA,00000000,?), ref: 009869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00948BBA,00000000), ref: 009869D4
DeleteObject.GDI32(00000000), ref: 009869E6

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: aa024ebf68265ddcaa341baa5563f31505976c3f7263b2fd30ea421574af8883
Instruction ID: 01b332f96a60663154d0440a594519245dfe2d446648b61d2393dae9ecc90673
Opcode Fuzzy Hash: aa024ebf68265ddcaa341baa5563f31505976c3f7263b2fd30ea421574af8883
Instruction Fuzzy Hash: 1B61BF31902614DFCB25EF64DA88F6A7BF5FB40312F14491CE0869B6A0CB35AD82DF90

Function 00949838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00949944: GetWindowLongW.USER32(?,000000EB), ref: 00949952

GetSysColor.USER32(0000000F), ref: 00949862

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: bfcdffdbad99b93f9cd12eb943ba4125b49a4ae77c95184a6dcb5e955451d4f2
Instruction ID: 2876a9a9db555f5a673eeff6de75b617e49db86a16f7620812c0efa827852f4e
Opcode Fuzzy Hash: bfcdffdbad99b93f9cd12eb943ba4125b49a4ae77c95184a6dcb5e955451d4f2
Instruction Fuzzy Hash: A041B571508644AFDB209F7C9C94FBA3B69EB46330F284615FAA6872E1D735DC42EB10

Function 009996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0097F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00999717
LoadStringW.USER32(00000000,?,0097F7F8,00000001), ref: 00999720

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0097F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00999742
LoadStringW.USER32(00000000,?,0097F7F8,00000001), ref: 00999745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00999866

Strings

Error: , xrefs: 0099981D
Line %d:, xrefs: 009997A0
%s (%d) : ==> %s: %s %s, xrefs: 0099984A
Line %d (File "%s"):, xrefs: 0099978F
^ ERROR, xrefs: 009997FB

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: c2f48b2873189c68884e601a0b8be2f906f58c7d896bdbda2559f3218219624f
Instruction ID: 419d3e4330ac9eaf950a5c6a5c8b86a0937c3e91616e665534aa7145a9a5b50a
Opcode Fuzzy Hash: c2f48b2873189c68884e601a0b8be2f906f58c7d896bdbda2559f3218219624f
Instruction Fuzzy Hash: 61413972844209AACF04EBE4DE86FEEB778AF95340F504029F60572092EA656F49CF61

Function 009906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00990804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0099082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00990837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0099083C

Strings

SOFTWARE\Classes\, xrefs: 0099070E
\IPC$, xrefs: 00990784
\CLSID, xrefs: 00990724

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 39e5e3ec1f88fa2e02b2c436d18d5ac466ca3d615c459e680c268c7a77ac3fec
Instruction ID: ba1a99b031112a6da990ec187b36b02d15c6f7494f9f889b7bb1a953ddffed64
Opcode Fuzzy Hash: 39e5e3ec1f88fa2e02b2c436d18d5ac466ca3d615c459e680c268c7a77ac3fec
Instruction Fuzzy Hash: 8F4115B2C14229AFCF15EBA4DC85EEDB778BF84350F448129E915A3161EB709E44CFA0

Function 009C3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009C403B
CreateCompatibleDC.GDI32(00000000), ref: 009C4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009C4055
SelectObject.GDI32(00000000,00000000), ref: 009C405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 009C4068
DeleteDC.GDI32(00000000), ref: 009C4072
GetWindowLongW.USER32(?,000000EC), ref: 009C407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 009C4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 009C409E

Strings

static, xrefs: 009C3FD3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 391d425a2c8cd8fd7daa07e819952f21d0ae9c3fdac9a38fe7f64578c148a95d
Instruction ID: 52549614a43d98da1de6537386a0b4d8f021e03d55359645498d0497d6cd33c3
Opcode Fuzzy Hash: 391d425a2c8cd8fd7daa07e819952f21d0ae9c3fdac9a38fe7f64578c148a95d
Instruction Fuzzy Hash: 96315A72955219BBDF219FA4CC49FDA3FA8FF0D324F110219FA18A61A0C775D811EB61

Function 009B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B3C5C
CoInitialize.OLE32(00000000), ref: 009B3C8A
CoUninitialize.OLE32 ref: 009B3C94
_wcslen.LIBCMT ref: 009B3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 009B3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 009B3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 009B3F0E
CoGetObject.OLE32(?,00000000,009CFB98,?), ref: 009B3F2D
SetErrorMode.KERNEL32(00000000), ref: 009B3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009B3FC4
VariantClear.OLEAUT32(?), ref: 009B3FD8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: fd0ee0e2b6ec55e7620465fadacfae439f19eab13538e7fa700ccc974294968a
Instruction ID: c493938247546ae6c2e85e59a90b3033155213ec5bfdbde13839f1366dd56bd5
Opcode Fuzzy Hash: fd0ee0e2b6ec55e7620465fadacfae439f19eab13538e7fa700ccc974294968a
Instruction Fuzzy Hash: BEC134B16082059FD700DF68C984A6BBBE9FF89754F14891DF98A9B250DB30EE05CB52

Function 009A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009A7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009A7B8F
SHGetDesktopFolder.SHELL32(?), ref: 009A7BA3
CoCreateInstance.OLE32(009CFD08,00000000,00000001,009F6E6C,?), ref: 009A7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009A7C74
CoTaskMemFree.OLE32(?,?), ref: 009A7CCC
SHBrowseForFolderW.SHELL32(?), ref: 009A7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009A7D7A
CoTaskMemFree.OLE32(00000000), ref: 009A7D81
CoTaskMemFree.OLE32(00000000), ref: 009A7DD6
CoUninitialize.OLE32 ref: 009A7DDC

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 8e3b8f086538aaae5778da13c3caed069e99f3bdb4cb94fa4c5a2a4d99310da8
Instruction ID: 677b983c2b47496044f3fca553f47b749aa5e8bba3a61a9327fc7a27ca877a65
Opcode Fuzzy Hash: 8e3b8f086538aaae5778da13c3caed069e99f3bdb4cb94fa4c5a2a4d99310da8
Instruction Fuzzy Hash: C0C10975A04209AFCB14DFA4C885EAEBBB9FF49314F148499F81A9B261D730ED45CF90

Function 009C541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009C5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009C5515
CharNextW.USER32(00000158), ref: 009C5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009C5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009C559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009C55AC

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 7687e6ac16aa83b0995d2312c2f1aa1ce2c76eaf32f128a1737270bd956bb2ee
Instruction ID: 1cbd9e701e6cd9434b7792bb004eccd646a445fd45864bf4cf069d924b465155
Opcode Fuzzy Hash: 7687e6ac16aa83b0995d2312c2f1aa1ce2c76eaf32f128a1737270bd956bb2ee
Instruction Fuzzy Hash: 2761BD70D04609ABDF108F94CD84FFE7BB9EB09320F118449F925A72A1D734AAC1DB62

Function 0098FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0098FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0098FB08
VariantInit.OLEAUT32(?), ref: 0098FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0098FB3A
VariantCopy.OLEAUT32(?,?), ref: 0098FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0098FBA1
VariantClear.OLEAUT32(?), ref: 0098FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0098FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0098FBCC
VariantClear.OLEAUT32(?), ref: 0098FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0098FBE9

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bab93b47ca018e488f26a9e386b332bd3c6ff3102d1fadcfa2dfe11c66349b3f
Instruction ID: 5f06c1cc6302525bd65325cf67a85703d88dc20fc50d015e070313e77d1018ed
Opcode Fuzzy Hash: bab93b47ca018e488f26a9e386b332bd3c6ff3102d1fadcfa2dfe11c66349b3f
Instruction Fuzzy Hash: 3D414175E042199FCB04EF64D864DADBBB9FF48354F008065E94AA7361D730E945DFA0

Function 00999C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00999CA1
GetAsyncKeyState.USER32(000000A0), ref: 00999D22
GetKeyState.USER32(000000A0), ref: 00999D3D
GetAsyncKeyState.USER32(000000A1), ref: 00999D57
GetKeyState.USER32(000000A1), ref: 00999D6C
GetAsyncKeyState.USER32(00000011), ref: 00999D84
GetKeyState.USER32(00000011), ref: 00999D96
GetAsyncKeyState.USER32(00000012), ref: 00999DAE
GetKeyState.USER32(00000012), ref: 00999DC0
GetAsyncKeyState.USER32(0000005B), ref: 00999DD8
GetKeyState.USER32(0000005B), ref: 00999DEA

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 63750c251dd20f5ed2eaa3ff718d6595c3f30ada202f0b8ebd10f3ea18de4280
Instruction ID: eeef27a17677eab9a6f8f2e7b4df1af5b4883428b66804a04e4c0597b6e8eb2f
Opcode Fuzzy Hash: 63750c251dd20f5ed2eaa3ff718d6595c3f30ada202f0b8ebd10f3ea18de4280
Instruction Fuzzy Hash: 36410D749087C96DFF30876CC8447B5BEE86F12344F04805EE6CA566C2EBA59DC4C792

Function 009B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009B05BC
inet_addr.WSOCK32(?), ref: 009B061C
gethostbyname.WSOCK32(?), ref: 009B0628
IcmpCreateFile.IPHLPAPI ref: 009B0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009B06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009B06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009B07B9
WSACleanup.WSOCK32 ref: 009B07BF

Strings

Ping, xrefs: 009B0676

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b00e15318ab3ccb9baa2b212bb6fd9a3df8be0d8a1f025a3c246ff019ce98986
Instruction ID: 927a6c5d5c884233ef5896d8a090a2d558d0e9e1ab65a73803a49b93202cec59
Opcode Fuzzy Hash: b00e15318ab3ccb9baa2b212bb6fd9a3df8be0d8a1f025a3c246ff019ce98986
Instruction Fuzzy Hash: 66918D756082019FD320CF15C989F5BBBE4AF84328F1485A9F46A8B6A2CB70FD45CF91

Function 009B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 009B8CF3

Part of subcall function 00998E54: _wcslen.LIBCMT ref: 00998E77

_wcslen.LIBCMT ref: 009B8D4E
_wcslen.LIBCMT ref: 009B8D9C
_wcslen.LIBCMT ref: 009B8DDC
_wcslen.LIBCMT ref: 009B8E6E

Strings

winapi, xrefs: 009B8D96, 009B8D9B
cdecl, xrefs: 009B8D48, 009B8D4D
stdcall, xrefs: 009B8DD6, 009B8DDB
none, xrefs: 009B8E65, 009B8E6A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: e58effe48e7dda011aa3766980b8aec456625b23b6b16bc652be2be409b745f4
Instruction ID: 203de288890a92253dd81d783ea5c141220a486dd0a77d24aaec3db73e06fef8
Opcode Fuzzy Hash: e58effe48e7dda011aa3766980b8aec456625b23b6b16bc652be2be409b745f4
Instruction Fuzzy Hash: 82519431A041169BCB24EF68CA519FFB7ADBFA8734B204629E516E72C4DB35DD40C790

Function 009B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 009B3774
CoUninitialize.OLE32 ref: 009B377F
CoCreateInstance.OLE32(?,00000000,00000017,009CFB78,?), ref: 009B37D9
IIDFromString.OLE32(?,?), ref: 009B384C
VariantInit.OLEAUT32(?), ref: 009B38E4
VariantClear.OLEAUT32(?), ref: 009B3936

Strings

Failed to create object, xrefs: 009B37E4, 009B389A
Invalid parameter, xrefs: 009B3865
NULL Pointer assignment, xrefs: 009B381E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1fce5510b5c491b6709b0f86966586f29a2e48946177c8966d3f2a535903e119
Instruction ID: 063ede22e4cd4f53e8daa9b10cee03e8fab55f1d4fa86cce90707230b156076f
Opcode Fuzzy Hash: 1fce5510b5c491b6709b0f86966586f29a2e48946177c8966d3f2a535903e119
Instruction Fuzzy Hash: CA61B3B1608301AFD710DF54C988FAABBE8EF85724F10880DF58597291DB70EE48CB92

Function 009A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009A33CF

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009A33F0

Strings

Error: , xrefs: 009A34D1
Incorrect parameters to object property !, xrefs: 009A34AB
"%s" (%d) : ==> %s:%s%s, xrefs: 009A3504
"%s" (%d) : ==> %s:, xrefs: 009A3522
^ ERROR , xrefs: 009A349E
Line %d (File "%s"):, xrefs: 009A3443, 009A345C

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1a323ba71aee54850bf14dff9d936287791a4a930e6c407d552e5ca270fc781a
Instruction ID: a5db7b121a6cc8f8f83b4641654cfcb19a7dc68d0b9bae0ebe5e54578f5a45e2
Opcode Fuzzy Hash: 1a323ba71aee54850bf14dff9d936287791a4a930e6c407d552e5ca270fc781a
Instruction Fuzzy Hash: BD519A72C40209AADF15EBE4CD46FEEB7B8AF84344F108065F109720A2EB612F59DF61

Function 0099B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0099B5FC
_wcslen.LIBCMT ref: 0099B608
_wcslen.LIBCMT ref: 0099B64D
_wcslen.LIBCMT ref: 0099B68C
_wcslen.LIBCMT ref: 0099B6C7

Strings

EXISTS, xrefs: 0099B686, 0099B68B
KEYS, xrefs: 0099B647, 0099B64C
APPEND, xrefs: 0099B6C1, 0099B6C6
REMOVE, xrefs: 0099B602, 0099B607

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 9394854a20162cdd8049a0f78f42d634be5a11494d1b99ee8941ae57fe57d090
Instruction ID: 18b6af40e489ea4b08667e41bb79fd7bafc8334c4142473ee8ee8301a8f12175
Opcode Fuzzy Hash: 9394854a20162cdd8049a0f78f42d634be5a11494d1b99ee8941ae57fe57d090
Instruction Fuzzy Hash: F441FE32A001279BCF205F7DDE905BE77A9AFA0778B144129E521D7284E739DD81C750

Function 009A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009A53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009A5416
GetLastError.KERNEL32 ref: 009A5420
SetErrorMode.KERNEL32(00000000,READY), ref: 009A54A7

Strings

READONLY, xrefs: 009A5452
INVALID, xrefs: 009A5459
NOTREADY, xrefs: 009A544B
READY, xrefs: 009A5460, 009A5468
UNKNOWN, xrefs: 009A5444

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6de7121b122032b2205eed26b64e17085ef30bd01493a2bb1b6fba841353e97a
Instruction ID: cea9b1c9e44fc1d02bf43775419620805c4c6463ee7bc437c8062e81e782f89e
Opcode Fuzzy Hash: 6de7121b122032b2205eed26b64e17085ef30bd01493a2bb1b6fba841353e97a
Instruction Fuzzy Hash: 4D31A075B006089FC710DF68C884BAABBF8EF5A305F198065E505DB2A2D774DD86CBD0

Function 009C3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 009C3C79
SetMenu.USER32(?,00000000), ref: 009C3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C3D10
IsMenu.USER32(?), ref: 009C3D24
CreatePopupMenu.USER32 ref: 009C3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009C3D5B
DrawMenuBar.USER32 ref: 009C3D63

Strings

0, xrefs: 009C3C54
F, xrefs: 009C3D4E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4655db228f3ffe03f3828776d80c9ac48bb8b824f7d7eb3e6387a0683f736c63
Instruction ID: 8f3f380a4a7bcc1332df94f353b50b781dafb4597dac51daa34e43022ec360a6
Opcode Fuzzy Hash: 4655db228f3ffe03f3828776d80c9ac48bb8b824f7d7eb3e6387a0683f736c63
Instruction Fuzzy Hash: 12415BB5A05209AFDB14CF64D854F9A7BB9FF49350F14802CF946973A0D730AA11DB91

Function 00991EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00991F64
GetDlgCtrlID.USER32 ref: 00991F6F
GetParent.USER32 ref: 00991F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00991F8E
GetDlgCtrlID.USER32(?), ref: 00991F97
GetParent.USER32(?), ref: 00991FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00991FAE

Strings

ComboBox, xrefs: 00991EEC
ListBox, xrefs: 00991F21

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c8bc132a0cb0d4919ef8c8a8df6c0a25505eed3e8076d30e02ebb5f870e4d101
Instruction ID: 19abfb036e8ca846a116ae98df40014c0fdc701ead915a3c8003cb2689ccba3d
Opcode Fuzzy Hash: c8bc132a0cb0d4919ef8c8a8df6c0a25505eed3e8076d30e02ebb5f870e4d101
Instruction Fuzzy Hash: 9D21ACB0D04219ABCF05AFA4CD85EEEBFA8EF45310F004515F9A9A72A1DB795908DB60

Function 00991FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00992043
GetDlgCtrlID.USER32 ref: 0099204E
GetParent.USER32 ref: 0099206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0099206D
GetDlgCtrlID.USER32(?), ref: 00992076
GetParent.USER32(?), ref: 0099208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0099208D

Strings

ComboBox, xrefs: 00991FCD
ListBox, xrefs: 00992002

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: fa3710009535858e6ee8a19bf30ddb405b844a0b5a70e9d041d440fa15ded332
Instruction ID: f1d9ce6de3e7fd8b77709ed88a7bd42ac2519a9520de11f8136699fb1ab1786d
Opcode Fuzzy Hash: fa3710009535858e6ee8a19bf30ddb405b844a0b5a70e9d041d440fa15ded332
Instruction Fuzzy Hash: 35219FB5D00218BBCF10AFA4CD85FFEBFB8AF45340F104415F995A72A1DA794915DB60

Function 009C3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009C3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009C3AA0
GetWindowLongW.USER32(?,000000F0), ref: 009C3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009C3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009C3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 009C3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 009C3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 009C3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 009C3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 009C3C13

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: ba92f8e8a4a660ec1aa2e4c4c664490be16306788aec6d69cb74a1a8fc871deb
Instruction ID: 1c1403712d6d7d3c05cb5ba4b276d7d7471095ee2fc8b3f50e9ae356c8379f83
Opcode Fuzzy Hash: ba92f8e8a4a660ec1aa2e4c4c664490be16306788aec6d69cb74a1a8fc871deb
Instruction Fuzzy Hash: EA617A75A00208AFDB10DFA8CC81FEE77B8EB49700F108199FA15A72A1D774AE46DF51

Function 0099B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0099B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B165
GetWindowThreadProcessId.USER32(00000000), ref: 0099B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0099B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0099A1E1,?,00000001), ref: 0099B21D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 9bf30ee112c071dd1dab55b5f1a8fd4e55eb5f2ec0da08b8ef8a5cdb1fd85d98
Instruction ID: 98003911b5ca28130410c2d470c610e5fe9cdcac35a22a062c08ae1f2feb44f0
Opcode Fuzzy Hash: 9bf30ee112c071dd1dab55b5f1a8fd4e55eb5f2ec0da08b8ef8a5cdb1fd85d98
Instruction Fuzzy Hash: 063191B2914208BFDF20DF68EE48F6D7BADFB61311F104005FA16D6190D7B8AA428F60

Function 00962C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00962C94

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 00962CA0
_free.LIBCMT ref: 00962CAB
_free.LIBCMT ref: 00962CB6
_free.LIBCMT ref: 00962CC1
_free.LIBCMT ref: 00962CCC
_free.LIBCMT ref: 00962CD7
_free.LIBCMT ref: 00962CE2
_free.LIBCMT ref: 00962CED
_free.LIBCMT ref: 00962CFB

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f16fe69bbf1e38c27da4984fa26d3a889be826292de87b78015fa6dcabfa7b0e
Instruction ID: 389f2683227613c4bfe793aa4970487d5b194d0baa9a4cc2d18f8fbd97efdeae
Opcode Fuzzy Hash: f16fe69bbf1e38c27da4984fa26d3a889be826292de87b78015fa6dcabfa7b0e
Instruction Fuzzy Hash: B011CB76600508BFCB06EF54D942DDD3BA5FF85390F4144A5F9485F232D631EE509B90

Function 009A7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009A7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 009A7FC1
GetFileAttributesW.KERNEL32(?), ref: 009A7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 009A8005
SetCurrentDirectoryW.KERNEL32(?), ref: 009A8017
SetCurrentDirectoryW.KERNEL32(?), ref: 009A8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009A80B0

Strings

*.*, xrefs: 009A8066

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: ac25840a36fbe80ee252451c60064783f6415212300dbbecdf23ba8eb791455f
Instruction ID: cda6016c3aa47342b3142f2ba3cb215bd2bf78ab4aeeae3bdd7eff8e4151213d
Opcode Fuzzy Hash: ac25840a36fbe80ee252451c60064783f6415212300dbbecdf23ba8eb791455f
Instruction Fuzzy Hash: 6A81A1725082419BCB20DF54C845AABF7E8BF86314F244C5EF889D7261EB35DD498B92

Function 00935BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00935C7A

Part of subcall function 00935D0A: GetClientRect.USER32(?,?), ref: 00935D30
Part of subcall function 00935D0A: GetWindowRect.USER32(?,?), ref: 00935D71
Part of subcall function 00935D0A: ScreenToClient.USER32(?,?), ref: 00935D99

GetDC.USER32 ref: 009746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00974708
SelectObject.GDI32(00000000,00000000), ref: 00974716
SelectObject.GDI32(00000000,00000000), ref: 0097472B
ReleaseDC.USER32(?,00000000), ref: 00974733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009747C4

Strings

U, xrefs: 00974693

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 16e3c04372972c0487abf9cdbab4b5d4f1b70c1605cd2a556eac287cb5ae1e38
Instruction ID: 6f70cb19ed4ab7b4c908836cabcbf08325286c548ad7af8193a0db2a536ae9c0
Opcode Fuzzy Hash: 16e3c04372972c0487abf9cdbab4b5d4f1b70c1605cd2a556eac287cb5ae1e38
Instruction Fuzzy Hash: 3071E032500209DFCF258F64C984EFA3BB9FF8A354F148269E9995A1A7C3309C41DF50

Function 009A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009A35E4

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

LoadStringW.USER32(00A02390,?,00000FFF,?), ref: 009A360A

Strings

Error: , xrefs: 009A36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 009A3724
"%s" (%d) : ==> %s:, xrefs: 009A3742
Line %d (File "%s"):, xrefs: 009A366B
^ ERROR, xrefs: 009A36C9

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: dfdbae94025340b21be3302fac13aa713207eb074c84434d114bc76a0bff4251
Instruction ID: 387f590d350f25203972d7678a5f61188243bc772d684095f83054b8bf2b1b0b
Opcode Fuzzy Hash: dfdbae94025340b21be3302fac13aa713207eb074c84434d114bc76a0bff4251
Instruction Fuzzy Hash: 49514B72C40209BBDF15EBA0CC46FEEBB78AF85304F548125F105721A1EB715A99DFA1

Function 009C8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

Part of subcall function 0094912D: GetCursorPos.USER32(?), ref: 00949141
Part of subcall function 0094912D: ScreenToClient.USER32(00000000,?), ref: 0094915E
Part of subcall function 0094912D: GetAsyncKeyState.USER32(00000001), ref: 00949183
Part of subcall function 0094912D: GetAsyncKeyState.USER32(00000002), ref: 0094919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 009C8B6B
ImageList_EndDrag.COMCTL32 ref: 009C8B71
ReleaseCapture.USER32 ref: 009C8B77
SetWindowTextW.USER32(?,00000000), ref: 009C8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009C8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 009C8CFF

Strings

@GUI_DRAGFILE, xrefs: 009C8C9A
@GUI_DROPID, xrefs: 009C8C51

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 398825d53f8cc2d10fb4ca0617c1a24f41076ca99ad8ab7157378bcca5a6ea29
Instruction ID: f268f3cda4708143a99da70b8c13123c4e665db90feef946d13cb6bfc5111c9e
Opcode Fuzzy Hash: 398825d53f8cc2d10fb4ca0617c1a24f41076ca99ad8ab7157378bcca5a6ea29
Instruction Fuzzy Hash: 44517A70508304AFD704DF64DC96FAA77E4FB88754F40062DF996A72E1CB709945CB62

Function 009AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009AC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009AC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009AC2CA
GetLastError.KERNEL32 ref: 009AC322
SetEvent.KERNEL32(?), ref: 009AC336
InternetCloseHandle.WININET(00000000), ref: 009AC341

Strings

, xrefs: 009AC2BB

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9d9980f665a269fecbfad7d4ee71dd058697dd49ac78a6f99ec389ee3b806844
Instruction ID: 98ef8f969068425169f84fb23835d517b98745279919acce3ea12638dcdb597d
Opcode Fuzzy Hash: 9d9980f665a269fecbfad7d4ee71dd058697dd49ac78a6f99ec389ee3b806844
Instruction Fuzzy Hash: 093150F1504604AFDB219F659C88EBB7BFCEB4A744F14851EF44ADA200DB34DD059BA1

Function 0099989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00973AAF,?,?,Bad directive syntax error,009CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009998BC
LoadStringW.USER32(00000000,?,00973AAF,?), ref: 009998C3

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00999987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 009998F1
., xrefs: 0099996D
Line %d:, xrefs: 00999912
Error: , xrefs: 00999955
Line %d (File "%s"):, xrefs: 0099992D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b5aaeb1535e2daa9d626d96ce02cfbbe38038c02a6f2b85c8727838e29d05e26
Instruction ID: d6ad68a5fb80c9ba261f6607814285b2296439b21f9654002df5a0322bc39ba4
Opcode Fuzzy Hash: b5aaeb1535e2daa9d626d96ce02cfbbe38038c02a6f2b85c8727838e29d05e26
Instruction Fuzzy Hash: D721593284421AABCF15AF94CC0AFEE7779FF58304F048429F619660A2EB719A18DB10

Function 0099209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0099214D

Strings

SHELLDLL_DefView, xrefs: 009920CC
list, xrefs: 0099212F
smallicons, xrefs: 00992115
details, xrefs: 009920FB
largeicons, xrefs: 009920E1

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 269e871680f04c87417ba834e5f942d1f91a6add557ae564f6efb31040c6ad27
Instruction ID: 3b0f658ed3287aa13d190e74647cd16e0fc8366fdf904b1b38fcc9b28a778836
Opcode Fuzzy Hash: 269e871680f04c87417ba834e5f942d1f91a6add557ae564f6efb31040c6ad27
Instruction Fuzzy Hash: 1811297668C70BBAFE216329DD0BDF6379CCB4532EF210016FB04A50E2FE65A8555714

Function 00968D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f608baef59ada837ab2565563bcb603b64c0c0cf4e06db2e17d86a641b1f9245
Instruction ID: ac636cecc60d4ca8d496523675268625048dc35691c3b8f4eaffa7fae14bb32e
Opcode Fuzzy Hash: f608baef59ada837ab2565563bcb603b64c0c0cf4e06db2e17d86a641b1f9245
Instruction Fuzzy Hash: FEC103B4E04249AFCF11DFA8D851BAEBFB8BF49310F044199F815A7392CB349942DB61

Function 0096CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0096CEB7
_free.LIBCMT ref: 0096CF22
_free.LIBCMT ref: 0096CF48
_free.LIBCMT ref: 0096CF71
_free.LIBCMT ref: 0096CFA9
_free.LIBCMT ref: 0096CFDA
_free.LIBCMT ref: 0096D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0096D09C
_free.LIBCMT ref: 0096D0B5

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 22487f3ae542e629b02c111c1cd534f8cc1c926e53da02f16e5b2a85f4ba9d13
Instruction ID: 498735d4a436202da1e0baeed447e33c6a2b1e1924e1d48f5966484834805d0e
Opcode Fuzzy Hash: 22487f3ae542e629b02c111c1cd534f8cc1c926e53da02f16e5b2a85f4ba9d13
Instruction Fuzzy Hash: A56178B1A05305AFDF25EFF49C81B7E7BA9EF45360F04416DF984A7281DA369D0287A0

Function 00948B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00986890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00948874,00000000,00000000,00000000,000000FF,00000000), ref: 00986901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0098691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00948874,00000000,00000000,00000000,000000FF,00000000), ref: 0098692D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 94e13247e67d941abf807a1f65d52354401c1d870512bf2202f602a9a3bc014a
Instruction ID: a19b79b76a0b8c50f08c5d996768a776624bb0cfa7d57235eaa2fb1657fa2037
Opcode Fuzzy Hash: 94e13247e67d941abf807a1f65d52354401c1d870512bf2202f602a9a3bc014a
Instruction Fuzzy Hash: 2D516AB0A00209EFDB20DF24CC95FAA7BB9FB88750F104518F9569B2E0DB71E991DB50

Function 009AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009AC182
GetLastError.KERNEL32 ref: 009AC195
SetEvent.KERNEL32(?), ref: 009AC1A9

Part of subcall function 009AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009AC272
Part of subcall function 009AC253: GetLastError.KERNEL32 ref: 009AC322
Part of subcall function 009AC253: SetEvent.KERNEL32(?), ref: 009AC336
Part of subcall function 009AC253: InternetCloseHandle.WININET(00000000), ref: 009AC341

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b890ed2b0ac5de9543828267067f6593f4dc59f5a556f39019025dfdd42da92f
Instruction ID: d1cdc2cda4d7fe650d658a440417db9bd37bc24308c7f427dce8961839c429a7
Opcode Fuzzy Hash: b890ed2b0ac5de9543828267067f6593f4dc59f5a556f39019025dfdd42da92f
Instruction Fuzzy Hash: FC31ACB1604605BFDB219FA5DD08B66BBFCFF5A300B04441EF96A8A610D735E810EBE0

Function 009925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00993A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00993A57
Part of subcall function 00993A3D: GetCurrentThreadId.KERNEL32 ref: 00993A5E
Part of subcall function 00993A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009925B3), ref: 00993A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00992601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00992605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0099260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00992623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00992627

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 858cd3213c87317661d65d065d3ba908f13f578bbc455542a78a988be4903cec
Instruction ID: 5ad28064d4c1e990b5e65b7679ca48f5720fc1b1d3dcab873907ef4859c293eb
Opcode Fuzzy Hash: 858cd3213c87317661d65d065d3ba908f13f578bbc455542a78a988be4903cec
Instruction Fuzzy Hash: 4F01D870B98210BBFB1067699C8AF593F59DB8EB11F110001F318AE1D1C9E114449B69

Function 00991803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00991449,?,?,00000000), ref: 0099180C
HeapAlloc.KERNEL32(00000000,?,00991449,?,?,00000000), ref: 00991813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00991449,?,?,00000000), ref: 00991828
GetCurrentProcess.KERNEL32(?,00000000,?,00991449,?,?,00000000), ref: 00991830
DuplicateHandle.KERNEL32(00000000,?,00991449,?,?,00000000), ref: 00991833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00991449,?,?,00000000), ref: 00991843
GetCurrentProcess.KERNEL32(00991449,00000000,?,00991449,?,?,00000000), ref: 0099184B
DuplicateHandle.KERNEL32(00000000,?,00991449,?,?,00000000), ref: 0099184E
CreateThread.KERNEL32(00000000,00000000,00991874,00000000,00000000,00000000), ref: 00991868

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 825d105c78c89d3454de43d9e96fa17e2522449393f0673bec6f349c44a78bbe
Instruction ID: 454e627d11c986b40bb581c079bff2541194a349d21b9bb7767594f5edec7cb4
Opcode Fuzzy Hash: 825d105c78c89d3454de43d9e96fa17e2522449393f0673bec6f349c44a78bbe
Instruction Fuzzy Hash: 4601BBB5654348BFE710ABA6DC4DF6B3FACEB89B11F044411FA09DB1A1CA749800DB20

Function 009BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0099D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0099D501
Part of subcall function 0099D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0099D50F
Part of subcall function 0099D4DC: CloseHandle.KERNELBASE(00000000), ref: 0099D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009BA16D
GetLastError.KERNEL32 ref: 009BA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009BA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 009BA268
GetLastError.KERNEL32(00000000), ref: 009BA273
CloseHandle.KERNEL32(00000000), ref: 009BA2C4

Strings

SeDebugPrivilege, xrefs: 009BA18F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 5626a5ae3d4bb088d8f725410e08088c8088e0d2e014a9a16dc31b8df8e01acb
Instruction ID: 290186469791532ec0851670e62306f1aa5b02f66a22ebc2ce39ddfcdb6bd8e0
Opcode Fuzzy Hash: 5626a5ae3d4bb088d8f725410e08088c8088e0d2e014a9a16dc31b8df8e01acb
Instruction Fuzzy Hash: 2161A270208242AFD710DF19C594F55BBE5AF84328F18849CE4664B7A3C776ED45CF92

Function 009C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009C3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 009C393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009C3954
_wcslen.LIBCMT ref: 009C3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009C39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009C39F4

Strings

SysListView32, xrefs: 009C38F7

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: be49287dde4709de4dad6ef252cf8835f562ce2a69f043ba007976c76f7df945
Instruction ID: d1a0d02afb3f76ac8b29d762a9f2d177329590c3f773761b7affcc55b1a6663f
Opcode Fuzzy Hash: be49287dde4709de4dad6ef252cf8835f562ce2a69f043ba007976c76f7df945
Instruction Fuzzy Hash: DE41C371E00219EBEF219F64CC45FEA7BA9EF48354F10852AF948E7281D7719E84CB90

Function 0099BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0099BCFD
IsMenu.USER32(00000000), ref: 0099BD1D
CreatePopupMenu.USER32 ref: 0099BD53
GetMenuItemCount.USER32(013A5DB8), ref: 0099BDA4
InsertMenuItemW.USER32(013A5DB8,?,00000001,00000030), ref: 0099BDCC

Strings

0, xrefs: 0099BCA8
2, xrefs: 0099BD37

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f4757310c9e76a08a6c8a08d7f248ba6b1e059292a5c5bb2d4bee8733335fc77
Instruction ID: 32a90354bb64cd20c5d89cea6c2152ae7c31f5ab4d0ab40b029176ebda24167a
Opcode Fuzzy Hash: f4757310c9e76a08a6c8a08d7f248ba6b1e059292a5c5bb2d4bee8733335fc77
Instruction Fuzzy Hash: 8151DFB0A042099BEF10CFACEA88BAEBBF8BF95314F144519F505E72D0D7799941CB61

Function 0099C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0099C913

Strings

warning, xrefs: 0099C8FC
blank, xrefs: 0099C895
info, xrefs: 0099C8B4
stop, xrefs: 0099C8E4
question, xrefs: 0099C8CC

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3f6aab8e5be80288e4285f205110d09640ae25cb971ca33a8d665466aa5a4fba
Instruction ID: cbe8504edcaada2225836656eb47aad352577e3473550140ba440c2ada66cde3
Opcode Fuzzy Hash: 3f6aab8e5be80288e4285f205110d09640ae25cb971ca33a8d665466aa5a4fba
Instruction Fuzzy Hash: 5811507168D30ABBEF00AB19DC83DAE779CDF5531DB20002AF904A61C2D7745E405374

Function 0099DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0099DE42
gethostname.WSOCK32(?,00000100), ref: 0099DE5C
gethostbyname.WSOCK32(?), ref: 0099DE69
inet_ntoa.WSOCK32(?), ref: 0099DEAB
_strcat.LIBCMT ref: 0099DEB9
WSACleanup.WSOCK32 ref: 0099DEDE

Strings

0.0.0.0, xrefs: 0099DE87

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 729d3cb1a319552fa3addb9025ed4c8e1df89c5e47de9ba2ffa9a5f326c8c37e
Instruction ID: 493cca7059d95430de38882ddc9c76ab1ea4df94b57e80038c569d7fadb23199
Opcode Fuzzy Hash: 729d3cb1a319552fa3addb9025ed4c8e1df89c5e47de9ba2ffa9a5f326c8c37e
Instruction Fuzzy Hash: D51159B1C04105AFDF20ABA8DC8AFEF3BACDF90715F000169F44996091EF708A819B60

Function 009C9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

GetSystemMetrics.USER32(0000000F), ref: 009C9FC7
GetSystemMetrics.USER32(0000000F), ref: 009C9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 009CA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009CA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009CA263
ShowWindow.USER32(00000003,00000000), ref: 009CA282
InvalidateRect.USER32(?,00000000,00000001), ref: 009CA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 009CA2CA

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 70af3df2ef92fa045ce1ddd6aee65ac3344b238616ce4a1c213b5b9a170f7205
Instruction ID: 02f11c5753912dee2c90302fea852f8ac5101486f9cf4247c94d697449cc8360
Opcode Fuzzy Hash: 70af3df2ef92fa045ce1ddd6aee65ac3344b238616ce4a1c213b5b9a170f7205
Instruction Fuzzy Hash: CFB1BC31A00229DFDF14CF68C989BAE7BB6FF44715F08806DEC599B295D731A940CB62

Function 0099ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0099ED2A
_wcslen.LIBCMT ref: 0099ED3B
_wcslen.LIBCMT ref: 0099ED79
_wcslen.LIBCMT ref: 0099EDAF
_wcslen.LIBCMT ref: 0099EDDF
_wcslen.LIBCMT ref: 0099EDEF
_wcslen.LIBCMT ref: 0099EE2B
_wcslen.LIBCMT ref: 0099EE5A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 992ef82d673d2f05c56ae2a87af02a3b54ad7d4296949f8b390fe83cf571b001
Instruction ID: 00360e3edbf9ed529d151efb88b501c59e4133a94a3303b7fa89d3080930355a
Opcode Fuzzy Hash: 992ef82d673d2f05c56ae2a87af02a3b54ad7d4296949f8b390fe83cf571b001
Instruction Fuzzy Hash: BA41B565C1011875CB11EBF5888AACFB7BCEF85711F508466F924E3121FB34E249C7A5

Function 0094F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0098682C,00000004,00000000,00000000), ref: 0094F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0098682C,00000004,00000000,00000000), ref: 0098F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0098682C,00000004,00000000,00000000), ref: 0098F454

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: eac28d5d630756ee37a7cb70aac7ae26bf3f80b31e9b3cde458e7e7eee1965f0
Instruction ID: de974ae574c7f739c37d204ca5f75350a6871adc384fc726ef016c156f8892da
Opcode Fuzzy Hash: eac28d5d630756ee37a7cb70aac7ae26bf3f80b31e9b3cde458e7e7eee1965f0
Instruction Fuzzy Hash: BF414B30618682FAD7399F38C9B8F6A7F99AF96350F14543DE08B52661C735A880DB11

Function 009C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009C2D1B
GetDC.USER32(00000000), ref: 009C2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009C2D2E
ReleaseDC.USER32(00000000,00000000), ref: 009C2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009C2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009C2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 009C2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009C2DE1

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 77a0b9afab0b812d2cf5c4c055755a42a9e0515aad620d2cfa7a94345aec215f
Instruction ID: f3d69383a13003605f0fd26a311864689d5273526091b66d9c953e05cf0dbb39
Opcode Fuzzy Hash: 77a0b9afab0b812d2cf5c4c055755a42a9e0515aad620d2cfa7a94345aec215f
Instruction Fuzzy Hash: AB319AB2615214BFEB218F50CC8AFEB3FADEF19751F084055FE099A291C6759C41CBA1

Function 00995622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00995637
_memcmp.LIBVCRUNTIME ref: 00995659
_memcmp.LIBVCRUNTIME ref: 00995671
_memcmp.LIBVCRUNTIME ref: 00995684
_memcmp.LIBVCRUNTIME ref: 0099569E
_memcmp.LIBVCRUNTIME ref: 009956B1
_memcmp.LIBVCRUNTIME ref: 009956C9
_memcmp.LIBVCRUNTIME ref: 009956E4

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fbbc9e6fd08aa429091621844a07e57c571b0169928a89994145200ad9bcbde3
Instruction ID: dc68dc38bd0c8bc57d303ceb5429d1d3aa3df7ee1d6c3f691f0de680cc19130f
Opcode Fuzzy Hash: fbbc9e6fd08aa429091621844a07e57c571b0169928a89994145200ad9bcbde3
Instruction Fuzzy Hash: 0A213B61B80A0977DE169E299DA2FFB334DAFA0389F450024FD049A581F730EE1483A6

Function 009B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 009B5007
NULL Pointer assignment, xrefs: 009B502E, 009B5383

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b4b0d37c639ecb3c4f3dcb4a15d47652b8c91f933dd8de459bcd49a874adcc01
Instruction ID: a9808212dc2c43401c224315acdd4bad3930acd97edd554df2844128b715e51d
Opcode Fuzzy Hash: b4b0d37c639ecb3c4f3dcb4a15d47652b8c91f933dd8de459bcd49a874adcc01
Instruction Fuzzy Hash: EDD1B171A0060A9FDF14DF98C980FEEB7B9BF88364F158469E915AB280E770DD41CB90

Function 00971522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00971651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009717FB,?,009717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009716FB

Part of subcall function 00963820: RtlAllocateHeap.NTDLL(00000000,?,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6,?,00931129), ref: 00963852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00971777
__freea.LIBCMT ref: 009717A2
__freea.LIBCMT ref: 009717AE

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2b27ec27726d2264c0d581d42409f040737ef99be77b8008aa0bc123e7490e69
Instruction ID: 820f737e17236318c8ecbfa83ae798fba4b53078f2b3b1b548910306ce903d0c
Opcode Fuzzy Hash: 2b27ec27726d2264c0d581d42409f040737ef99be77b8008aa0bc123e7490e69
Instruction Fuzzy Hash: 19919473E142169BDF288E6CC882AEE7BB99F85710F188659F809E7141E735DD40CBA0

Function 009B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B4648
VariantInit.OLEAUT32(?), ref: 009B4749
VariantClear.OLEAUT32(?), ref: 009B4753
VariantClear.OLEAUT32(?), ref: 009B47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 009B45D8, 009B4706, 009B47BE
Incorrect Object type in FOR..IN loop, xrefs: 009B472C

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 24bd25cb7aea32ab4285f30cfbd66554e41e47b58b4c5e4a5f4f366585575a39
Instruction ID: 41e473b63c33b76ce7e1f233d2c42e9c54ad6394ad3ccbf4ff9ed3565cfe9858
Opcode Fuzzy Hash: 24bd25cb7aea32ab4285f30cfbd66554e41e47b58b4c5e4a5f4f366585575a39
Instruction Fuzzy Hash: 10919371A00219EBDF20CFA4C984FEEBBB8EF46724F108559F505AB282D7709945DFA0

Function 009A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 009A125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 009A1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009A12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009A12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009A135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009A13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009A1430

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 7770b46b43e2b73487431266fd1b7739e95bade61c2230c114337942d2a6ff5a
Instruction ID: 55cccad0d46074b44232d4a74f0f23ce3f009a9e3aecc51c9e71d94e3379bbb4
Opcode Fuzzy Hash: 7770b46b43e2b73487431266fd1b7739e95bade61c2230c114337942d2a6ff5a
Instruction Fuzzy Hash: E091C171A00209AFDB04DF98C885BBEB7B9FF86315F104429E951EB2A1D774E941CB90

Function 0094948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: be62930564a44316565574263a880e42c5a1c1d3b1e80dbb05e3c83462517765
Instruction ID: 3cc908c2e8503d76cf1d685f6255f9b6459ea10021c9ff052f3942d81bfb5d55
Opcode Fuzzy Hash: be62930564a44316565574263a880e42c5a1c1d3b1e80dbb05e3c83462517765
Instruction Fuzzy Hash: EE911571D04219AFCB10CFA9C884EEEBBB8FF89320F244559E915B7251D378A941DB60

Function 009B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B396B
CharUpperBuffW.USER32(?,?), ref: 009B3A7A
_wcslen.LIBCMT ref: 009B3A8A
VariantClear.OLEAUT32(?), ref: 009B3C1F

Part of subcall function 009A0CDF: VariantInit.OLEAUT32(00000000), ref: 009A0D1F
Part of subcall function 009A0CDF: VariantCopy.OLEAUT32(?,?), ref: 009A0D28
Part of subcall function 009A0CDF: VariantClear.OLEAUT32(?), ref: 009A0D34

Strings

AUTOIT.ERROR, xrefs: 009B3A80, 009B3A85
Incorrect Parameter format, xrefs: 009B39A6, 009B3BA1

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 82aa759ccfbf1218f4296474f15e7cc633d44bafa54b601137835beb04ba3361
Instruction ID: dcc8327f8f6500f849124f21a28169e824b4aba46ace8f91106810fa0ea8d4b8
Opcode Fuzzy Hash: 82aa759ccfbf1218f4296474f15e7cc633d44bafa54b601137835beb04ba3361
Instruction Fuzzy Hash: 719146756083059FCB14DF68C580A6ABBE8FF88724F14882DF88997351DB30EE05CB92

Function 009B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0099000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?,?,0099035E), ref: 0099002B
Part of subcall function 0099000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?), ref: 00990046
Part of subcall function 0099000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?), ref: 00990054
Part of subcall function 0099000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?), ref: 00990064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 009B4C51
_wcslen.LIBCMT ref: 009B4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 009B4DCF
CoTaskMemFree.OLE32(?), ref: 009B4DDA

Strings

NULL Pointer assignment, xrefs: 009B4E23, 009B4E52

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3bce7f8032e116b5f5898a26ae24916eade54238f9975df8a4bf30157df7d271
Instruction ID: ea13c7ff034d9a7dcda2fff846b25af2427926403edb4ca1a56fb1e39c0fb277
Opcode Fuzzy Hash: 3bce7f8032e116b5f5898a26ae24916eade54238f9975df8a4bf30157df7d271
Instruction Fuzzy Hash: 57910771D0021DAFDF14DFA4C891AEEBBB8BF48310F108569E919A7291DB749A44DFA0

Function 009C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009C2183
GetMenuItemCount.USER32(00000000), ref: 009C21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009C21DD
_wcslen.LIBCMT ref: 009C2213
GetMenuItemID.USER32(?,?), ref: 009C224D
GetSubMenu.USER32(?,?), ref: 009C225B

Part of subcall function 00993A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00993A57
Part of subcall function 00993A3D: GetCurrentThreadId.KERNEL32 ref: 00993A5E
Part of subcall function 00993A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009925B3), ref: 00993A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009C22E3

Part of subcall function 0099E97B: Sleep.KERNEL32 ref: 0099E9F3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: afb7ca1534159df647c99d1e95e86934ca88f7c336c2a1d48f3a3600ae2a14af
Instruction ID: f6b837a4fede269e44a106bbc8175dfc72093bc6848205ba462389dd7da4e42e
Opcode Fuzzy Hash: afb7ca1534159df647c99d1e95e86934ca88f7c336c2a1d48f3a3600ae2a14af
Instruction Fuzzy Hash: 5F716C75E04205AFCB14EF68C845FAEBBF5EF88320F148459E826AB351D734AE418F91

Function 009C7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013A5E80), ref: 009C7F37
IsWindowEnabled.USER32(013A5E80), ref: 009C7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 009C801E
SendMessageW.USER32(013A5E80,000000B0,?,?), ref: 009C8051
IsDlgButtonChecked.USER32(?,?), ref: 009C8089
GetWindowLongW.USER32(013A5E80,000000EC), ref: 009C80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009C80C3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 6bdb6b7591d588f7fddb82ae3ba159ec2431c365a89c3270320d876df66d2203
Instruction ID: c06d2c56f04756e37bf32fa7fd4f44039f77ae356c2a5bdc97a894d6346c78ae
Opcode Fuzzy Hash: 6bdb6b7591d588f7fddb82ae3ba159ec2431c365a89c3270320d876df66d2203
Instruction Fuzzy Hash: F6716A74E08205AFEB21DFA4C8D4FEABBB9EF49340F14445DE945972A1CB31A845DF22

Function 0099AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0099AEF9
GetKeyboardState.USER32(?), ref: 0099AF0E
SetKeyboardState.USER32(?), ref: 0099AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0099AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0099AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0099AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0099B020

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fc613676b91c14ec3c5fcfa991d3614167818705a775560e3cc049b62bd6534b
Instruction ID: b053b7266a0d1131023ef32d7b1ab0ea5b9b4c2aca0f12a18bbc5a2d054c3872
Opcode Fuzzy Hash: fc613676b91c14ec3c5fcfa991d3614167818705a775560e3cc049b62bd6534b
Instruction Fuzzy Hash: 9551A1A0A147D53DFF36433C8D49BBABEAD9B06304F088589E1E9558C2D3D9ACC8D791

Function 0099ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0099AD19
GetKeyboardState.USER32(?), ref: 0099AD2E
SetKeyboardState.USER32(?), ref: 0099AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0099ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0099ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0099AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0099AE38

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 20e796e70cadfc83aa1ada79575301cba1e18ffc56072e2a0b824d5e413809c2
Instruction ID: 8cefecfda9f8bc29b6af244c6bc366715425143ddc423feb19d5cfaae7c0bc8f
Opcode Fuzzy Hash: 20e796e70cadfc83aa1ada79575301cba1e18ffc56072e2a0b824d5e413809c2
Instruction Fuzzy Hash: 6151E6A19087D53DFF3783788C55B7A7EACDB46300F088488E1D9468C2D394EC88E7A2

Function 0096542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00973CD6,?,?,?,?,?,?,?,?,00965BA3,?,?,00973CD6,?,?), ref: 00965470
__fassign.LIBCMT ref: 009654EB
__fassign.LIBCMT ref: 00965506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00973CD6,00000005,00000000,00000000), ref: 0096552C
WriteFile.KERNEL32(?,00973CD6,00000000,00965BA3,00000000,?,?,?,?,?,?,?,?,?,00965BA3,?), ref: 0096554B
WriteFile.KERNEL32(?,?,00000001,00965BA3,00000000,?,?,?,?,?,?,?,?,?,00965BA3,?), ref: 00965584

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 825bc78feddafd418d246dbec7aa9132f2f43a19a46b00036584325cbf259557
Instruction ID: b20d6a5fff7f215ea11d9645c3f2c6176c43c088dd58383de7dc57ecc8e26141
Opcode Fuzzy Hash: 825bc78feddafd418d246dbec7aa9132f2f43a19a46b00036584325cbf259557
Instruction Fuzzy Hash: 2F51B2B1E0064A9FDB10CFA8D845AEEBBF9EF09300F15455EF956E7291D7309A41CB60

Function 00952D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00952D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00952D53
_ValidateLocalCookies.LIBCMT ref: 00952DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00952E0C
_ValidateLocalCookies.LIBCMT ref: 00952E61

Strings

csm, xrefs: 00952DF6

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 033a62aa14271f1f63dff685ea2df4c36a7269b79d37d7ae920c7ce5f072b61a
Instruction ID: f39db47f8686813cef05428f7addf4789a7434a06709f315d06df04643aaa5e2
Opcode Fuzzy Hash: 033a62aa14271f1f63dff685ea2df4c36a7269b79d37d7ae920c7ce5f072b61a
Instruction Fuzzy Hash: DF41C434E00209EBCF14DF6AC845A9EBBB5BF86366F148155ED146B392D731AA09CBD0

Function 009B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009B307A
Part of subcall function 009B304E: _wcslen.LIBCMT ref: 009B309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009B1112
WSAGetLastError.WSOCK32 ref: 009B1121
WSAGetLastError.WSOCK32 ref: 009B11C9
closesocket.WSOCK32(00000000), ref: 009B11F9

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 2d1dd51a5e745d05c6a4db5b5653e95ec25bb5d60a915dd516a6e0fc31aff45b
Instruction ID: e1a6cf93ebf0faeffa0c90a3c1005dcea67a3fafac2f901a8fd11d6c7de9ff0f
Opcode Fuzzy Hash: 2d1dd51a5e745d05c6a4db5b5653e95ec25bb5d60a915dd516a6e0fc31aff45b
Instruction Fuzzy Hash: 71410371604604AFDB109F18C994BEABBE9EF85364F148059FD09AB292C774ED41CFE1

Function 0099CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0099DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0099CF22,?), ref: 0099DDFD

Part of subcall function 0099DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0099CF22,?), ref: 0099DE16

lstrcmpiW.KERNEL32(?,?), ref: 0099CF45
MoveFileW.KERNEL32(?,?), ref: 0099CF7F
_wcslen.LIBCMT ref: 0099D005
_wcslen.LIBCMT ref: 0099D01B
SHFileOperationW.SHELL32(?), ref: 0099D061

Strings

\*.*, xrefs: 0099CFF3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 4854acbcca15fc9e07d0544b98e0cd83e321a288ea91e5323686e21e8bd97944
Instruction ID: ce5652f48e35aa163e498daae7d9d847b3b7b369d18c8d4086a2e8b6c1eb36c3
Opcode Fuzzy Hash: 4854acbcca15fc9e07d0544b98e0cd83e321a288ea91e5323686e21e8bd97944
Instruction Fuzzy Hash: 204126B19452185FDF12EBA8DD81FDDB7BDAF58380F1000E6E509EB142EB34A688CB50

Function 009C2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 009C2E1C
GetWindowLongW.USER32(?,000000F0), ref: 009C2E4F
GetWindowLongW.USER32(?,000000F0), ref: 009C2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 009C2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 009C2EE0
GetWindowLongW.USER32(?,000000F0), ref: 009C2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009C2F0B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ae42a1fae6f99ef9d1fd195505b7bec0c190dd13f82b5aa1180ab48dd7ea3332
Instruction ID: faf53bec24248347c72fb1b58aeff2e63b28fd9b7466ad2cea0e10749d5ee53b
Opcode Fuzzy Hash: ae42a1fae6f99ef9d1fd195505b7bec0c190dd13f82b5aa1180ab48dd7ea3332
Instruction Fuzzy Hash: 82311730A081599FDB21DF58DD84FA53BE5FB8A750F150168F9059F2B1CB71AC41DB42

Function 00997726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00997769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0099778F
SysAllocString.OLEAUT32(00000000), ref: 00997792
SysAllocString.OLEAUT32(?), ref: 009977B0
SysFreeString.OLEAUT32(?), ref: 009977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009977DE
SysAllocString.OLEAUT32(?), ref: 009977EC

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 28978ca468ec5d59b9a479e54539157d4413ebd5ebb6b7c5fcda1bb73fee8dce
Instruction ID: 1a1df2825fb71893704cb00fce6b9ffd008ae96ca6ff6644037bbd0c0ef18e71
Opcode Fuzzy Hash: 28978ca468ec5d59b9a479e54539157d4413ebd5ebb6b7c5fcda1bb73fee8dce
Instruction Fuzzy Hash: 1921A176A18219AFDF10DFEDCC88DBBB7ACEB097647048425FA19DB260DA74DC418760

Function 009977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00997842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00997868
SysAllocString.OLEAUT32(00000000), ref: 0099786B
SysAllocString.OLEAUT32 ref: 0099788C
SysFreeString.OLEAUT32 ref: 00997895
StringFromGUID2.OLE32(?,?,00000028), ref: 009978AF
SysAllocString.OLEAUT32(?), ref: 009978BD

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e0e81ffcf324eb3901b754e6e37d34299775157479e0715656ca70b191521876
Instruction ID: 4cb60b9e5219631d5167b698094edf29c67c8563c3a9f8d740ce7a0e6ab01702
Opcode Fuzzy Hash: e0e81ffcf324eb3901b754e6e37d34299775157479e0715656ca70b191521876
Instruction Fuzzy Hash: C2216D72A18204AFDF10AFEDDC88DAAB7ACEB097607148125F915CB2A1DA74DC41DB64

Function 009A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009A04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009A052E

Strings

nul, xrefs: 009A0567

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 66a705eacbadf3a5ee12fbf2c112b198207868a7b51cc03c551a3d17b09cc2d9
Instruction ID: 9faf50e221457ba3f0be79ceb2e65e9abab8253c4808b7defa254ab2039080f4
Opcode Fuzzy Hash: 66a705eacbadf3a5ee12fbf2c112b198207868a7b51cc03c551a3d17b09cc2d9
Instruction Fuzzy Hash: 82217171D003059BDB209F6ADC44A5A7BB8BF86764F204A19F8A1D61E0E770D950DFA0

Function 009A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009A05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009A0601

Strings

nul, xrefs: 009A0639

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a73c58afb7b01d0b599f59966155778d98f0884556fa854d3299f1d2bda0778c
Instruction ID: d65e93d71cdac88a2241ac899505d37e4958e066d165b59d2604fa501de270d3
Opcode Fuzzy Hash: a73c58afb7b01d0b599f59966155778d98f0884556fa854d3299f1d2bda0778c
Instruction Fuzzy Hash: FA2165759043059BDB209F69DC04E5A77E8BFD6728F200B19F9A1E72D0E770D960DB90

Function 009C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0093600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0093604C
Part of subcall function 0093600E: GetStockObject.GDI32(00000011), ref: 00936060
Part of subcall function 0093600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0093606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009C4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009C411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009C412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009C4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009C4145

Strings

Msctls_Progress32, xrefs: 009C40E3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f58470a74f9218a1a618edb173de62d157fd0afe8bff74c3470c704efbdaf619
Instruction ID: eb121c46d33461b727672ffe65a80f2afccf568fd7a6298f85c691e29a643b0c
Opcode Fuzzy Hash: f58470a74f9218a1a618edb173de62d157fd0afe8bff74c3470c704efbdaf619
Instruction Fuzzy Hash: 7A1190B265021DBEEF118EA4CC86EE77F9DEF18798F004111FA18A2050C6729C219BA4

Function 0096D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0096D7A3: _free.LIBCMT ref: 0096D7CC

_free.LIBCMT ref: 0096D82D

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 0096D838
_free.LIBCMT ref: 0096D843
_free.LIBCMT ref: 0096D897
_free.LIBCMT ref: 0096D8A2
_free.LIBCMT ref: 0096D8AD
_free.LIBCMT ref: 0096D8B8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ecadcfc43e15a27e76d03cadd1c3771c5ad4d90e4dee0dac3b14e73025b7988c
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: E31133B1B42B04BAE521BFF0CC47FCB7BDC6FC4740F444826B2A9A6492DA75B5054751

Function 0099DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0099DA74
LoadStringW.USER32(00000000), ref: 0099DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0099DA91
LoadStringW.USER32(00000000), ref: 0099DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0099DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0099DAB9

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 147f96d9864d09faef8cf58206e51916091ab6e387d8f069dd0ef0fd28bc929a
Instruction ID: 84a06ad00e3d11f274bc497393e58f0f35553af631af72d2d9f02183984d91a0
Opcode Fuzzy Hash: 147f96d9864d09faef8cf58206e51916091ab6e387d8f069dd0ef0fd28bc929a
Instruction Fuzzy Hash: BA0186F29042087FEB10ABA49D89EFB376CE708301F400895F74AE2081EA749E845F74

Function 009A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0139DB30,0139DB30), ref: 009A097B
EnterCriticalSection.KERNEL32(0139DB10,00000000), ref: 009A098D
TerminateThread.KERNEL32(?,000001F6), ref: 009A099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009A09A9
CloseHandle.KERNEL32(?), ref: 009A09B8
InterlockedExchange.KERNEL32(0139DB30,000001F6), ref: 009A09C8
LeaveCriticalSection.KERNEL32(0139DB10), ref: 009A09CF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 996b1c51e0057273eb2a31192cf91cda297d8844ecc6abd3b12fdf4ffe064bf5
Instruction ID: 7266f37a66388851383e679cd7181b7211add725f0856680e2079b4a0d2ba90c
Opcode Fuzzy Hash: 996b1c51e0057273eb2a31192cf91cda297d8844ecc6abd3b12fdf4ffe064bf5
Instruction Fuzzy Hash: 27F03C7285AA02BBD7415FA4EE8CFD6BF39FF41702F402025F206908A0C7749465DF90

Function 009B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009B1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009B1DE1
WSAGetLastError.WSOCK32 ref: 009B1DF2
htons.WSOCK32(?,?,?,?,?), ref: 009B1EDB
inet_ntoa.WSOCK32(?), ref: 009B1E8C

Part of subcall function 009939E8: _strlen.LIBCMT ref: 009939F2

Part of subcall function 009B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,009AEC0C), ref: 009B3240

_strlen.LIBCMT ref: 009B1F35

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 2980afd8988a3ddf72e56219ce4f0a7098fffda26b6bcac2026932986fceeefe
Instruction ID: 8cd86e0034d55071404e8985cec7136ebbf2c09a6fd9c9fc9aa7786e0a502b37
Opcode Fuzzy Hash: 2980afd8988a3ddf72e56219ce4f0a7098fffda26b6bcac2026932986fceeefe
Instruction Fuzzy Hash: 0DB1C071604300AFC324DF24C895F6A7BA9AFC4328F94894CF55A5B2E2DB71ED45CB91

Function 00935D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00935D30
GetWindowRect.USER32(?,?), ref: 00935D71
ScreenToClient.USER32(?,?), ref: 00935D99
GetClientRect.USER32(?,?), ref: 00935ED7
GetWindowRect.USER32(?,?), ref: 00935EF8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 61b4254146a6265ff4b2a71e4b6764c81d36b7f209c2bcb159303a2f9fa1219b
Instruction ID: 675e98599af0cc5259819b186b6b1f7e3f86e01501a7f0ef7baf2a8fbc637316
Opcode Fuzzy Hash: 61b4254146a6265ff4b2a71e4b6764c81d36b7f209c2bcb159303a2f9fa1219b
Instruction Fuzzy Hash: 74B16875A0064AEBDB20CFA8C4807EEB7F5FF48310F14881AE8A9D7250DB34AA51DF54

Function 009601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009600D6
__allrem.LIBCMT ref: 009600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0096010B
__allrem.LIBCMT ref: 00960122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00960140

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 9b78da9b9de1cbb91d03bad9288b606dba26da0b30f1e718117a6863a358d984
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 9D81F572A00706ABE720DF29CC91B6B73E9EFC1334F25453AF851DA681E770D9448B90

Function 009661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009582D9,009582D9,?,?,?,0096644F,00000001,00000001,8BE85006), ref: 00966258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0096644F,00000001,00000001,8BE85006,?,?,?), ref: 009662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009663D8
__freea.LIBCMT ref: 009663E5

Part of subcall function 00963820: RtlAllocateHeap.NTDLL(00000000,?,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6,?,00931129), ref: 00963852

__freea.LIBCMT ref: 009663EE
__freea.LIBCMT ref: 00966413

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fa6a9ac6d5cbe684602357b7493ed501c47d6ccfcd0eff5d65c0179aa2c18088
Instruction ID: 67eb3b3c28182d6dc30dbd3447db448872ed914adfbf2077f7e30bdb2f87a53e
Opcode Fuzzy Hash: fa6a9ac6d5cbe684602357b7493ed501c47d6ccfcd0eff5d65c0179aa2c18088
Instruction Fuzzy Hash: A651B072A10216ABEB258F64DC81FBF7BA9EF85750F15462AFC05DA250EB34DC40D6A0

Function 009BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 009BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009BB6AE,?,?), ref: 009BC9B5
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BC9F1
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA68
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009BBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009BBD25
RegCloseKey.ADVAPI32(00000000), ref: 009BBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009BBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009BBDF3
RegCloseKey.ADVAPI32(?), ref: 009BBDFF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 30649cb88f29d3eeda6a0df2788f034114904d28da327d5ed5f040fd6c01e4ba
Instruction ID: 9590b2cadbfbdd2e99ef9e1fd7b25ef42377805d873ba06b36d9a23c5ddfa0d1
Opcode Fuzzy Hash: 30649cb88f29d3eeda6a0df2788f034114904d28da327d5ed5f040fd6c01e4ba
Instruction Fuzzy Hash: 49818B70208241AFC714DF24C991E6ABBE9FF84318F14895CF4994B2A2CB71ED45CB92

Function 0098F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0098F7B9
SysAllocString.OLEAUT32(00000001), ref: 0098F860
VariantCopy.OLEAUT32(0098FA64,00000000), ref: 0098F889
VariantClear.OLEAUT32(0098FA64), ref: 0098F8AD
VariantCopy.OLEAUT32(0098FA64,00000000), ref: 0098F8B1
VariantClear.OLEAUT32(?), ref: 0098F8BB

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 2fc947666894ef911949e827dd791253e45d0979070fd91fc0ac537596a6805f
Instruction ID: e87bcebebdf28d606e245d1726c39a4a14d3f02d9457c4ff7e696d70ee29744d
Opcode Fuzzy Hash: 2fc947666894ef911949e827dd791253e45d0979070fd91fc0ac537596a6805f
Instruction Fuzzy Hash: EF51A835910310BBCF14BB65D8A5F29B3A9EF85710F24A466F906DF391DB748C40CBA6

Function 009A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00937620: _wcslen.LIBCMT ref: 00937625

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009A94E5
_wcslen.LIBCMT ref: 009A9506
_wcslen.LIBCMT ref: 009A952D
GetSaveFileNameW.COMDLG32(00000058), ref: 009A9585

Strings

X, xrefs: 009A9412

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 475890fbfa19f7688c3d32a912cb8e39b9427b71e9601f4b7ade97c84fae5752
Instruction ID: a11e3c5b3e33844e3bb9e398f606c3b554f6e72a7230dcdfe6984dc3b04da1e5
Opcode Fuzzy Hash: 475890fbfa19f7688c3d32a912cb8e39b9427b71e9601f4b7ade97c84fae5752
Instruction Fuzzy Hash: 59E18C719083119FCB24DF24C891B6AB7E4BFC5314F14896DF8999B2A2DB31ED05CB92

Function 0094920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

BeginPaint.USER32(?,?,?), ref: 00949241
GetWindowRect.USER32(?,?), ref: 009492A5
ScreenToClient.USER32(?,?), ref: 009492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009492D3
EndPaint.USER32(?,?,?,?,?), ref: 00949321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009871EA

Part of subcall function 00949339: BeginPath.GDI32(00000000), ref: 00949357

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 2c4c89830bd83b7b56e4173300f6f6fd3af9396e94150e1126499dd78e18e249
Instruction ID: 29ef7c559c2b5632b7a43eeabbd59f7aa7ed4c37c321ba34330917687173e4c4
Opcode Fuzzy Hash: 2c4c89830bd83b7b56e4173300f6f6fd3af9396e94150e1126499dd78e18e249
Instruction Fuzzy Hash: A941BD70508205AFD720DF64CCC8FBB7BA8EF8A364F140629F9A4872E1C7709846DB61

Function 009A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009A080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 009A0847
EnterCriticalSection.KERNEL32(?), ref: 009A0863
LeaveCriticalSection.KERNEL32(?), ref: 009A08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009A08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 009A0921

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 3a68245bc01080152fede9c00411e6d35450fc7cb5796df86bf6f0c1258d3ca9
Instruction ID: 3184e4e7ba274adac87ba2c99f7a51230f350ae7168946c8672e141ddcbd1a17
Opcode Fuzzy Hash: 3a68245bc01080152fede9c00411e6d35450fc7cb5796df86bf6f0c1258d3ca9
Instruction Fuzzy Hash: AA418871900205EFDF04AF54DC85AAABBB8FF85300F1440A9ED049A296DB31DE65DBA4

Function 009C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0098F3AB,00000000,?,?,00000000,?,0098682C,00000004,00000000,00000000), ref: 009C824C
EnableWindow.USER32(?,00000000), ref: 009C8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009C82D1
ShowWindow.USER32(?,00000004), ref: 009C82E5
EnableWindow.USER32(?,00000001), ref: 009C830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009C832F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 447fe89c3a1e7e3051d0e5131486435cadd252503fee1fb77d0fb18d9cd33385
Instruction ID: 4646e4180199097d1c25f5e2206450adfb3c89c02bf589fe31e3fc5f3bfd6651
Opcode Fuzzy Hash: 447fe89c3a1e7e3051d0e5131486435cadd252503fee1fb77d0fb18d9cd33385
Instruction Fuzzy Hash: 3841C330A01644EFDB21CF54C899FE67BE4FB4A754F1852ADE5184F2B2CB31A842CB52

Function 00994C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00994C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00994CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00994CEA
_wcslen.LIBCMT ref: 00994D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00994D10
_wcsstr.LIBVCRUNTIME ref: 00994D1A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 0f2141419a2e9868d520f8c241c1ddfb4f3800db1e16928b8801810cddd1250c
Instruction ID: 0a282f94b51ed6f35a46207f21c635bcc029b6e3d8a16151d5e2cca692269a9d
Opcode Fuzzy Hash: 0f2141419a2e9868d520f8c241c1ddfb4f3800db1e16928b8801810cddd1250c
Instruction Fuzzy Hash: 2A212676604201BBEF169B39AD09E7B7F9CDF89750F108029F809CA191EA61DC4297A0

Function 009A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00933AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00933A97,?,?,00932E7F,?,?,?,00000000), ref: 00933AC2

_wcslen.LIBCMT ref: 009A587B
CoInitialize.OLE32(00000000), ref: 009A5995
CoCreateInstance.OLE32(009CFCF8,00000000,00000001,009CFB68,?), ref: 009A59AE
CoUninitialize.OLE32 ref: 009A59CC

Strings

.lnk, xrefs: 009A5876, 009A58C1, 009A5985

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 415314ba101a3fa7e1b01b85675152bee0f42b3b5e625ff5d0c721d80f8b9f0f
Instruction ID: c76356af470f4763ddd4ce18cc4726e580d5a09e97157d0baffb49fab893eac3
Opcode Fuzzy Hash: 415314ba101a3fa7e1b01b85675152bee0f42b3b5e625ff5d0c721d80f8b9f0f
Instruction Fuzzy Hash: 28D142B56086019FC714DF25C480A2ABBE5FFCA714F16885DF88A9B361DB31EC45CB92

Function 0099175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00990FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00990FCA
Part of subcall function 00990FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00990FD6
Part of subcall function 00990FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00990FE5
Part of subcall function 00990FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00990FEC
Part of subcall function 00990FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00991002

GetLengthSid.ADVAPI32(?,00000000,00991335), ref: 009917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009917BA
HeapAlloc.KERNEL32(00000000), ref: 009917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009917DA
GetProcessHeap.KERNEL32(00000000,00000000,00991335), ref: 009917EE
HeapFree.KERNEL32(00000000), ref: 009917F5

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ab6ea73a944c4672f372f342c6b693de79cef1c284aa90f101b9781f0e9f941b
Instruction ID: a1164737000d055663de573babc3de214e1c121929c7452e3f0124459b649564
Opcode Fuzzy Hash: ab6ea73a944c4672f372f342c6b693de79cef1c284aa90f101b9781f0e9f941b
Instruction Fuzzy Hash: 7E11A972A18206FFDF109FA9CC59FAE7BA9FB41355F144018F486A7220C736A940DB60

Function 009914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00991506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00991515
CloseHandle.KERNEL32(00000004), ref: 00991520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0099154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00991563

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: c44ab9c956f1a0db677bb9fbaa31a29400fed278841c1d5e028d63d5cc385217
Instruction ID: ce0aaba77c16580b7c01eea0093e1dbcb67d414f6ce3ecc3110266b59425f70f
Opcode Fuzzy Hash: c44ab9c956f1a0db677bb9fbaa31a29400fed278841c1d5e028d63d5cc385217
Instruction Fuzzy Hash: 8A1117B260424AABDF11CF98ED49FDA7BA9FB48744F054015FA09A2060C3758E61AB61

Function 00953382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00953379,00952FE5), ref: 00953390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0095339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009533B7
SetLastError.KERNEL32(00000000,?,00953379,00952FE5), ref: 00953409

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1a7a443fbd82e2b9ea4706badb28713801b578ecdc86f12559cca6f265c0dac4
Instruction ID: ad963482c85753c0a08aaffa2fca13d136e09ae679ac915a350d32ce09ff6ba3
Opcode Fuzzy Hash: 1a7a443fbd82e2b9ea4706badb28713801b578ecdc86f12559cca6f265c0dac4
Instruction Fuzzy Hash: 5301683261D711BEEA15A7767D82A762B48DB453FB320C22DFC10851F0EF210D0EA348

Function 00962D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00965686,00973CD6,?,00000000,?,00965B6A,?,?,?,?,?,0095E6D1,?,009F8A48), ref: 00962D78
_free.LIBCMT ref: 00962DAB
_free.LIBCMT ref: 00962DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0095E6D1,?,009F8A48,00000010,00934F4A,?,?,00000000,00973CD6), ref: 00962DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0095E6D1,?,009F8A48,00000010,00934F4A,?,?,00000000,00973CD6), ref: 00962DEC
_abort.LIBCMT ref: 00962DF2

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 31ba6615e50a1676036dd6ae24299cd9c982c85232a7970f07323af5f3a6c757
Instruction ID: 127c17699996ddde4feb3502af434fb73078867c5a5c1afc56ef464783608aeb
Opcode Fuzzy Hash: 31ba6615e50a1676036dd6ae24299cd9c982c85232a7970f07323af5f3a6c757
Instruction Fuzzy Hash: 81F0FC71A0CE0137C2123734BD36F6F2A5DAFC27E1F254419F828D61D2EF3488015260

Function 009C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00949639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00949693
Part of subcall function 00949639: SelectObject.GDI32(?,00000000), ref: 009496A2
Part of subcall function 00949639: BeginPath.GDI32(?), ref: 009496B9
Part of subcall function 00949639: SelectObject.GDI32(?,00000000), ref: 009496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 009C8A4E
LineTo.GDI32(?,00000003,00000000), ref: 009C8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 009C8A70
LineTo.GDI32(?,00000000,00000003), ref: 009C8A80
EndPath.GDI32(?), ref: 009C8A90
StrokePath.GDI32(?), ref: 009C8AA0

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2cc9f312216c873235d007385ffc0ffb9a92bbdad86612619e14724616dc7c08
Instruction ID: 531578cb07e875c5c543aa0c97a5b987dfde58ecdf7c5d80fd932889b83a74b0
Opcode Fuzzy Hash: 2cc9f312216c873235d007385ffc0ffb9a92bbdad86612619e14724616dc7c08
Instruction Fuzzy Hash: 9511F77680410CFFDF129F90DC88EAA7F6CEB08390F048016FA599A1A1C7719D55EBA0

Function 009951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00995218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00995229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00995230
ReleaseDC.USER32(00000000,00000000), ref: 00995238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0099524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00995261

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: edd5c240cf15fec1c726144091699026877b9d54f705c92f62e2ead419138f8c
Instruction ID: 8db98df5bfec515ef3bf04a02b216c97286d2151573d1240d94be9a72ce0a2f4
Opcode Fuzzy Hash: edd5c240cf15fec1c726144091699026877b9d54f705c92f62e2ead419138f8c
Instruction Fuzzy Hash: CE0144B5E05719BBEF109BA59D49E5EBF78EB48751F044065FA08A7281D6709800DB60

Function 00931BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00931BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00931BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00931C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00931C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00931C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00931C22

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5d5a0a6d79493b6059f95ad210e81935bab47fa61752b9952f559a4f3ac7dd03
Instruction ID: 3b7333f3fb6d2a9b2b6fea454a163468815ab333baf4a7752e5e2f96e8b7c5a4
Opcode Fuzzy Hash: 5d5a0a6d79493b6059f95ad210e81935bab47fa61752b9952f559a4f3ac7dd03
Instruction Fuzzy Hash: 470167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 0099EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0099EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0099EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0099EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0099EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0099EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0099EB75

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ee0014c0b8b694b94a6c3ab66e3bb3d423b4061a600d0096cc1e89cb06ca7176
Instruction ID: b10239a11fdad9364ad2d38b98474f7a64014389c8c048efad73112a99944ee5
Opcode Fuzzy Hash: ee0014c0b8b694b94a6c3ab66e3bb3d423b4061a600d0096cc1e89cb06ca7176
Instruction Fuzzy Hash: 2CF0BEB2A14159BBE7205B639D0EEEF3E7CEFCAB15F000158F605D1090D7A01A01E7B4

Function 00987439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00987452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00987469
GetWindowDC.USER32(?), ref: 00987475
GetPixel.GDI32(00000000,?,?), ref: 00987484
ReleaseDC.USER32(?,00000000), ref: 00987496
GetSysColor.USER32(00000005), ref: 009874B0

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: d818bbf355728d3125d286e7ccbf5984e3dedc89a433dc13bc298a699c46a6eb
Instruction ID: f0500ae0201b9956f6086ebb46191f7b0ec3429a50af3608e92fe86d95a6b48d
Opcode Fuzzy Hash: d818bbf355728d3125d286e7ccbf5984e3dedc89a433dc13bc298a699c46a6eb
Instruction Fuzzy Hash: E2018B71818205FFDB50AFA4DD08FAABFB6FB04311F240060F91AA21B1CB311E42AB20

Function 00991874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0099187F
UnloadUserProfile.USERENV(?,?), ref: 0099188B
CloseHandle.KERNEL32(?), ref: 00991894
CloseHandle.KERNEL32(?), ref: 0099189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009918A5
HeapFree.KERNEL32(00000000), ref: 009918AC

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2c1b302e43fbfd195ede36b1d2b5a9bc11ace7b36662f1bf9b88aef0ad7e98ae
Instruction ID: 6ec53d29bacb4cafd31a74a1bdd30caf26b16ac4e1d5f7d5e2dbf303f6e974bf
Opcode Fuzzy Hash: 2c1b302e43fbfd195ede36b1d2b5a9bc11ace7b36662f1bf9b88aef0ad7e98ae
Instruction Fuzzy Hash: 22E01AB681C501BFDB015FA2ED0CD0ABF39FF49B22B108220F22981470CB329420EF50

Function 0099C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00937620: _wcslen.LIBCMT ref: 00937625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0099C6EE
_wcslen.LIBCMT ref: 0099C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0099C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0099C7CA

Strings

0, xrefs: 0099C6AF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 95a94fc3b8af96fc06a87d1eb70a472efd6f7fe49532f90b31fac66b00f42965
Instruction ID: 87286093caea047dff47b35a7f0a9148b57e76800530f919d075309278422e82
Opcode Fuzzy Hash: 95a94fc3b8af96fc06a87d1eb70a472efd6f7fe49532f90b31fac66b00f42965
Instruction Fuzzy Hash: 5751CDB16083419BDB109F6CCC85BABB7E8AF89354F040A29F995E22E0DB64D904DB52

Function 009BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 009BAEA3

Part of subcall function 00937620: _wcslen.LIBCMT ref: 00937625

GetProcessId.KERNEL32(00000000), ref: 009BAF38
CloseHandle.KERNEL32(00000000), ref: 009BAF67

Strings

@, xrefs: 009BAE72
<, xrefs: 009BAE6B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 110aafa30cd9f4f2c634d7c7883c181355e249a09e0f2542a9205127b85e1aa3
Instruction ID: 29fad344bd2efdd89efbf870280d9253aab44374151d0d023b0594ad27256964
Opcode Fuzzy Hash: 110aafa30cd9f4f2c634d7c7883c181355e249a09e0f2542a9205127b85e1aa3
Instruction Fuzzy Hash: 537177B1A00619DFCB14DF94C584A9EBBF4BF48320F048499E856AB3A2CB74ED41CF91

Function 0099719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00997206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0099723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0099724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009972CF

Strings

DllGetClassObject, xrefs: 00997242

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7dac540e1cec1cb54c434410e651549677a5bba646cd9d116463bdf0e9f5e7e5
Instruction ID: dec854472bfab851570e564519adbe7fff02a1ffddc3bee49b998e6ebdc500ac
Opcode Fuzzy Hash: 7dac540e1cec1cb54c434410e651549677a5bba646cd9d116463bdf0e9f5e7e5
Instruction Fuzzy Hash: 40416371A24204DFDF15CF98C884B9ABBA9EF44710F1580A9BD159F20ADBB1D944CBA0

Function 009C3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C3E35
IsMenu.USER32(?), ref: 009C3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009C3E92
DrawMenuBar.USER32 ref: 009C3EA5

Strings

0, xrefs: 009C3D89

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 1f41aab26f1b468140a165de4e3bd230ad99eb4bc3b51d631329aaaba902a964
Instruction ID: 4c58c73ec7567915dc0bf721caa5b82d028ab542cea4c84439b95503df06d78c
Opcode Fuzzy Hash: 1f41aab26f1b468140a165de4e3bd230ad99eb4bc3b51d631329aaaba902a964
Instruction Fuzzy Hash: C9413675A10209AFDB10DFA0D884EAABBB9FF49354F04812DF906A7250D734AE45DFA1

Function 00991DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00991E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00991E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00991EA9

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

Strings

ComboBox, xrefs: 00991DF0
ListBox, xrefs: 00991E25

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 7637fe07bfe187278983d973caecb62c4c2b4151cdcd324df3f9fc25f54f4f6b
Instruction ID: b5d2939a5df68d25f65b325359fe3c9a2c4834c58cb18199f5ed590a59cd73f9
Opcode Fuzzy Hash: 7637fe07bfe187278983d973caecb62c4c2b4151cdcd324df3f9fc25f54f4f6b
Instruction Fuzzy Hash: 4C213571A00105BFDF14ABA8DD46EFFBBB8EF81350F108519F825A31E0DB7849099A20

Function 009C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009C2F8D
LoadLibraryW.KERNEL32(?), ref: 009C2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009C2FA9
DestroyWindow.USER32(?), ref: 009C2FB1

Strings

SysAnimate32, xrefs: 009C2F68

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 98b8423291415b4f8ab1a7bf0923355f776193ef61710280ad9a4e695a7fe033
Instruction ID: 7b9aef8280b7346ff96608f6c24fe5ce572ec1617f079a45fe23e8c2a09a3fda
Opcode Fuzzy Hash: 98b8423291415b4f8ab1a7bf0923355f776193ef61710280ad9a4e695a7fe033
Instruction Fuzzy Hash: AD21AC71A04209ABEB218FA4DC80FBB7BBDEB99364F10461CFA50D21E0D771DC51A761

Function 00954D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00954D1E,009628E9,?,00954CBE,009628E9,009F88B8,0000000C,00954E15,009628E9,00000002), ref: 00954D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00954DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00954D1E,009628E9,?,00954CBE,009628E9,009F88B8,0000000C,00954E15,009628E9,00000002,00000000), ref: 00954DC3

Strings

CorExitProcess, xrefs: 00954D98
mscoree.dll, xrefs: 00954D86

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ac189f8cda7ec341982afe5c9f3b67dedb865ec889984dc57b942196e3ea44bf
Instruction ID: 6d0e8cfe6df6ea1fe7abca3289b6ca7e1764383ece6561c6ac7aedfce81c184e
Opcode Fuzzy Hash: ac189f8cda7ec341982afe5c9f3b67dedb865ec889984dc57b942196e3ea44bf
Instruction Fuzzy Hash: BAF04474954208BBDB119F91DC49FADBFB9EF84756F044055FD09A6290CB305984DB90

Function 00934E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00934EDD,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00934EAE
FreeLibrary.KERNEL32(00000000,?,?,00934EDD,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934EC0

Strings

kernel32.dll, xrefs: 00934E94
Wow64DisableWow64FsRedirection, xrefs: 00934EA8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a313505c086c325645b5f8803601d293a5017741b52e0efc4ee366d379f944be
Instruction ID: 5a10815b06b5dc1289f0ce295accf5dc3b1a86ab3eae147c9e147bbd880eb5c3
Opcode Fuzzy Hash: a313505c086c325645b5f8803601d293a5017741b52e0efc4ee366d379f944be
Instruction Fuzzy Hash: 8BE0CD75E1D5225BD33117266C18F6F695CAFC1F62F0A0115FD08D2110DB64DD0296A1

Function 00934E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00973CDE,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00934E74
FreeLibrary.KERNEL32(00000000,?,?,00973CDE,?,00A01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00934E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00934E6E
kernel32.dll, xrefs: 00934E5B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d013fc8c5e795cc077a0bbd4706710f95c155a30e8999022a63af0c75a7404ef
Instruction ID: 4d39f9997a877c4a85b0d81d0108faa1775b8e4446c361965ca63652588452f4
Opcode Fuzzy Hash: d013fc8c5e795cc077a0bbd4706710f95c155a30e8999022a63af0c75a7404ef
Instruction Fuzzy Hash: 4ED0C232D1A6215746321B26BC08E8B2E1CAFC1F5530A0114F908A2110CF20CE02DAD1

Function 009A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009A2C05
DeleteFileW.KERNEL32(?), ref: 009A2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009A2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009A2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009A2CC0

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: b5ce81444d1d767dd8849e6ce1b5648422b253ace78b0973b819fed2d5b344f5
Instruction ID: 056468b5049bfee4b4ab2632589c25a5d6e9860cc4341feef4cee2e03a903adc
Opcode Fuzzy Hash: b5ce81444d1d767dd8849e6ce1b5648422b253ace78b0973b819fed2d5b344f5
Instruction Fuzzy Hash: F1B15E72D00119ABDF25DBA8CC85FDEBB7DEF89350F1040A6F909E6141EB359A448FA1

Function 009BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 009BA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009BA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009BA468
CloseHandle.KERNEL32(?), ref: 009BA63D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: fa8a04e6c0d5ff59f6173ed641b90315ad569f2d8433d606799c56c9804c2d86
Instruction ID: ae6500f124015aafe68796bbfdbaa3a1357753ce6937cb02bc2b266a21f1948e
Opcode Fuzzy Hash: fa8a04e6c0d5ff59f6173ed641b90315ad569f2d8433d606799c56c9804c2d86
Instruction Fuzzy Hash: 9FA193B1604700AFD720DF24C986F6AB7E5AF84714F14885DF59A9B292D7B0EC418F92

Function 0096BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009D3700), ref: 0096BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0096BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A01270,000000FF,?,0000003F,00000000,?), ref: 0096BC36
_free.LIBCMT ref: 0096BB7F

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 0096BD4B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: cc835dbb72584fa8f09963444d4ab14b12badcd14983279697adcd804659559e
Instruction ID: 47e302af78e7d1723ed1503b76ef8a7079d101349af3dee185ff16d45f25e10b
Opcode Fuzzy Hash: cc835dbb72584fa8f09963444d4ab14b12badcd14983279697adcd804659559e
Instruction Fuzzy Hash: DE51C772D04209AFCB10EF699C81AEEB7BCEF84350B10466AE554D7291FB749E829B50

Function 0099E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0099DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0099CF22,?), ref: 0099DDFD

Part of subcall function 0099DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0099CF22,?), ref: 0099DE16

Part of subcall function 0099E199: GetFileAttributesW.KERNEL32(?,0099CF95), ref: 0099E19A

lstrcmpiW.KERNEL32(?,?), ref: 0099E473
MoveFileW.KERNEL32(?,?), ref: 0099E4AC
_wcslen.LIBCMT ref: 0099E5EB
_wcslen.LIBCMT ref: 0099E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0099E650

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f71c1c09718f4d34a3a51175fc84a7ac3335c66269b74c3d89c01b4fd89a223e
Instruction ID: d0de6ae56d11ca324a9de5f0f8c346474607fdfe1a83b95f1196e69d0b01659e
Opcode Fuzzy Hash: f71c1c09718f4d34a3a51175fc84a7ac3335c66269b74c3d89c01b4fd89a223e
Instruction Fuzzy Hash: F15151B24083459BCB24DBA4D881ADFB3ECAFC4340F04491EF589D3191EF75A688CB66

Function 009BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 009BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009BB6AE,?,?), ref: 009BC9B5
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BC9F1
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA68
Part of subcall function 009BC998: _wcslen.LIBCMT ref: 009BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009BBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009BBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009BBB63
RegCloseKey.ADVAPI32(?,?), ref: 009BBBA6
RegCloseKey.ADVAPI32(00000000), ref: 009BBBB3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 2c15954725f83b6df43be929f8917d24fb257b38e77a15cf252900109b068d64
Instruction ID: a7422459bed88badfe08d18443ff64b876f8f8fa66ea81aa382e4dee6bb31dcb
Opcode Fuzzy Hash: 2c15954725f83b6df43be929f8917d24fb257b38e77a15cf252900109b068d64
Instruction Fuzzy Hash: ED61BF71608201AFD714DF14C990F6ABBE9FF84318F14895CF4998B2A2CB71ED45CB92

Function 00998BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00998BCD
VariantClear.OLEAUT32 ref: 00998C3E
VariantClear.OLEAUT32 ref: 00998C9D
VariantClear.OLEAUT32(?), ref: 00998D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00998D3B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2c851f26000c1a6d1bb87782e67b3cd3eeb0da14f1a6a41181fb639c2d3d6406
Instruction ID: d0833e571d8948698d3f521805adb9b853b69ce52e6e50a30e7896ce9713ac12
Opcode Fuzzy Hash: 2c851f26000c1a6d1bb87782e67b3cd3eeb0da14f1a6a41181fb639c2d3d6406
Instruction Fuzzy Hash: CE5158B5A10219EFCB14CF68C894EAABBF9FF89310B158559E909DB350E734E911CF90

Function 009A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009A8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 009A8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009A8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009A8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009A8C5F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f0e409e681b7d1b0c3bf1e1c2f73122fba7538b9309075ede042e86f8af95942
Instruction ID: 099c9579ded6ad17e27a1408f5782d65e280476cac4865777456cac1d1a9a239
Opcode Fuzzy Hash: f0e409e681b7d1b0c3bf1e1c2f73122fba7538b9309075ede042e86f8af95942
Instruction Fuzzy Hash: 72515A75A00219AFCB14DF65C880E6ABBF5FF89314F088458E849AB362CB31ED51CF90

Function 009B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 009B8F40
GetProcAddress.KERNEL32(00000000,?), ref: 009B8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 009B8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 009B9032
FreeLibrary.KERNEL32(00000000), ref: 009B9052

Part of subcall function 0094F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,009A1043,?,7529E610), ref: 0094F6E6
Part of subcall function 0094F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0098FA64,00000000,00000000,?,?,009A1043,?,7529E610,?,0098FA64), ref: 0094F70D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ca4d63beb7c2ef33c0e8c4749dc420bb246adcdb4329b3ea3e2162915627d3f2
Instruction ID: 6b53ea89c12aedd02e521985ce7ac0c8c2dd968bcf047f14d250495db3d19c41
Opcode Fuzzy Hash: ca4d63beb7c2ef33c0e8c4749dc420bb246adcdb4329b3ea3e2162915627d3f2
Instruction Fuzzy Hash: 91514935604205DFCB10EF58C5949ADBBB5FF89324F088098E90A9B362DB31ED86CF90

Function 009C6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 009C6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 009C6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 009C6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,009AAB79,00000000,00000000), ref: 009C6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 009C6CC7

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 963f628abad869f63a2cbef2aa0dae244d431ea555ddc73210c7661e33c28a37
Instruction ID: 5b55a85d0774d123ecd208003ded4c44dc8209911fda82252aad12a2e2d59c79
Opcode Fuzzy Hash: 963f628abad869f63a2cbef2aa0dae244d431ea555ddc73210c7661e33c28a37
Instruction Fuzzy Hash: A741D235E44104AFDB24CF68CD58FA97FA9EB49350F14022CFAD9A72E1C371AD41DA81

Function 00962051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009620C3
_free.LIBCMT ref: 009620E3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d46ac16b5a1a6dfd603a5ea2dc33d5093ffb554f4245554155e871d79f7d46ec
Instruction ID: 96e3faf3323a49f5ef7a25f1d8aa4bdc4094c47462cefdb774a23b6e36d88398
Opcode Fuzzy Hash: d46ac16b5a1a6dfd603a5ea2dc33d5093ffb554f4245554155e871d79f7d46ec
Instruction Fuzzy Hash: 6B41F672A006049FCB24DF78C981A6EB7F5EF89314F154569E915EB351DB31ED01DB80

Function 0094912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00949141
ScreenToClient.USER32(00000000,?), ref: 0094915E
GetAsyncKeyState.USER32(00000001), ref: 00949183
GetAsyncKeyState.USER32(00000002), ref: 0094919D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 022d687631c44d8d6e1181e53ba48db3a4a20cdf332c98fbfd19575f3f96a5c3
Instruction ID: 2af70f817753f6f0e77b780790b97b2ac0e5ac13cabdd3d11295c17f7bdf7e10
Opcode Fuzzy Hash: 022d687631c44d8d6e1181e53ba48db3a4a20cdf332c98fbfd19575f3f96a5c3
Instruction Fuzzy Hash: DB41607190C60ABBDF15AFA4C848FEEF774FB49320F204619E429A32D0C734A950DB51

Function 009A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009A38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 009A3922
TranslateMessage.USER32(?), ref: 009A394B
DispatchMessageW.USER32(?), ref: 009A3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009A3966

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 3f3a0931b4dac074ef28a3e0a844f5e868f7ac13831ebe7fdb52c9d5425b02bf
Instruction ID: 0c0c248b10f86b0a084ec86c4da9e55826b02d5c2b27ac21beaa6793b5839e8a
Opcode Fuzzy Hash: 3f3a0931b4dac074ef28a3e0a844f5e868f7ac13831ebe7fdb52c9d5425b02bf
Instruction Fuzzy Hash: 0031C670908345DFEB25CB749848FB73BACEB47304F04856DF456861A0E3B89686CB91

Function 009ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,009AC21E,00000000), ref: 009ACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 009ACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,009AC21E,00000000), ref: 009ACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,009AC21E,00000000), ref: 009ACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,009AC21E,00000000), ref: 009ACFF2

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 7fba063c568fc85da8f02bef816572d15ee0a1667bef7b11fe3897d153b5ff0a
Instruction ID: 3df9268800dfd33289504387fa66b8afc9bce62fb3f9a14b317c783bef3ab5bd
Opcode Fuzzy Hash: 7fba063c568fc85da8f02bef816572d15ee0a1667bef7b11fe3897d153b5ff0a
Instruction Fuzzy Hash: 63315EB1904205EFDB20DFA5C884EABBBFDEB15355B10442EF51AD6140DB30EE41DBA0

Function 00991901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00991915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009919E2

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bdd7d9230c9dd313e4a00b7cdd5ff34d1281cde5761fa03ae54f04fbf2d642bc
Instruction ID: 7d53ed30b57853d6ea9c7facb678856d7bff0966714b9784287568a76e750a66
Opcode Fuzzy Hash: bdd7d9230c9dd313e4a00b7cdd5ff34d1281cde5761fa03ae54f04fbf2d642bc
Instruction Fuzzy Hash: 6431AD71A0021AEFDF00CFACDA99ADE3BB9FB44315F104229F925A72D1C7709944DB90

Function 009C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 009C5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 009C579D
_wcslen.LIBCMT ref: 009C57AF
_wcslen.LIBCMT ref: 009C57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 009C5816

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f058b80432790855ebf2f40e01db33dbb702fb0ff8215c8b68c973ca969dbbce
Instruction ID: e98262031ecea29514abcfc1b3b0662ac35e47002b96dee80b6cd141a808947e
Opcode Fuzzy Hash: f058b80432790855ebf2f40e01db33dbb702fb0ff8215c8b68c973ca969dbbce
Instruction Fuzzy Hash: C621C171D046089ADB209FA1CC85FEE7BBCFF40724F10865AE929EA194D770AAC5CF51

Function 009B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009B0951
GetForegroundWindow.USER32 ref: 009B0968
GetDC.USER32(00000000), ref: 009B09A4
GetPixel.GDI32(00000000,?,00000003), ref: 009B09B0
ReleaseDC.USER32(00000000,00000003), ref: 009B09E8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b3eb84403cd27ccaee376fd26170af38c709225e40593472dd5ce63014ea1354
Instruction ID: 16b89c72c5d950c45aebc71cf9cbb206bcc32f530a33df06bc7855c6e5bf6124
Opcode Fuzzy Hash: b3eb84403cd27ccaee376fd26170af38c709225e40593472dd5ce63014ea1354
Instruction Fuzzy Hash: 55218475A04204AFD704EF65C948E9EBBE9EF89750F148468F84A97751CB30AC44DF90

Function 0094990E Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009498CC
SetTextColor.GDI32(?,?), ref: 009498D6
SetBkMode.GDI32(?,00000001), ref: 009498E9
GetStockObject.GDI32(00000005), ref: 009498F1
GetWindowLongW.USER32(?,000000EB), ref: 00949952

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 244ccfa9c1ebf6be86c960dee7b6a63dfd85d5aacd458e1930787c1920722779
Instruction ID: 20e1e9d2c50af37fe18a3a065dbc91e8d15f0feb634e6846a8a47b0f4cceb978
Opcode Fuzzy Hash: 244ccfa9c1ebf6be86c960dee7b6a63dfd85d5aacd458e1930787c1920722779
Instruction Fuzzy Hash: 3721F3719492509FC7228F35EC69EE73FA89F53330B18029DF5968B2A2C7364942DB50

Function 0096CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0096CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0096CDE9

Part of subcall function 00963820: RtlAllocateHeap.NTDLL(00000000,?,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6,?,00931129), ref: 00963852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0096CE0F
_free.LIBCMT ref: 0096CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0096CE31

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1423da89761b5f1b8ca49d7a1b968f19488e5cee7115bedb13b628f166d38935
Instruction ID: c865c6c18cc242d6d6444ad95b466763b513ede718854825c515875abe368fc4
Opcode Fuzzy Hash: 1423da89761b5f1b8ca49d7a1b968f19488e5cee7115bedb13b628f166d38935
Instruction Fuzzy Hash: F30184F2A066157F232216B66C88D7B7E7DDEC6BA13150129F949D7201EA6A8D01A2B0

Function 00949639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00949693
SelectObject.GDI32(?,00000000), ref: 009496A2
BeginPath.GDI32(?), ref: 009496B9
SelectObject.GDI32(?,00000000), ref: 009496E2

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 75f94b6e99b94446a91e55c893e31a762cf6fc767041b06a87404b3d7e72202d
Instruction ID: 4f99f37ac90478fc60bfc6de17580244e381f288f8a3c0e04daf7165caae210d
Opcode Fuzzy Hash: 75f94b6e99b94446a91e55c893e31a762cf6fc767041b06a87404b3d7e72202d
Instruction Fuzzy Hash: E8218B70816309EFDF11DFA5EC58FEA7BA8BB503A5F110216F824A61B0D3709893DB90

Function 00995711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00995726
_memcmp.LIBVCRUNTIME ref: 00995744
_memcmp.LIBVCRUNTIME ref: 00995757
_memcmp.LIBVCRUNTIME ref: 0099576F
_memcmp.LIBVCRUNTIME ref: 00995787

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a9a3f8c1735c9a460a388b2ab665538771fcd2920515a707455322a550d72248
Instruction ID: 4d5b0b2a497249b66a1c7c9026dda4660bc00d9f8c0850b305567661979336cc
Opcode Fuzzy Hash: a9a3f8c1735c9a460a388b2ab665538771fcd2920515a707455322a550d72248
Instruction Fuzzy Hash: A201F561781609BBEA099659ADA2FBB735D9BA1399F014024FD089A241F730EF1483B1

Function 00962DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0095F2DE,00963863,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6), ref: 00962DFD
_free.LIBCMT ref: 00962E32
_free.LIBCMT ref: 00962E59
SetLastError.KERNEL32(00000000,00931129), ref: 00962E66
SetLastError.KERNEL32(00000000,00931129), ref: 00962E6F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 839f652f8ad80cc61358f9cc2aedcd7c6a794586cdbd588716da78c432c333ea
Instruction ID: 7f9a953e5339b4bec59f2d4874838dc7a3fbfe4367ae8454d1f4d3defec263e2
Opcode Fuzzy Hash: 839f652f8ad80cc61358f9cc2aedcd7c6a794586cdbd588716da78c432c333ea
Instruction Fuzzy Hash: FE012876649E0077C71327747E49E3B2A5DEBD13B1B258438F425A22D2EF368C015120

Function 0099000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?,?,0099035E), ref: 0099002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?), ref: 00990046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?), ref: 00990054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?), ref: 00990064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0098FF41,80070057,?,?), ref: 00990070

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e3a3b8dc24c671965a923df93ced1b3dd3688f1946c8125def8b48ac81dd0212
Instruction ID: 1b042c52f8e04d37e598c43152aded07c5383fd4b3b4bcd3888b148d6324087c
Opcode Fuzzy Hash: e3a3b8dc24c671965a923df93ced1b3dd3688f1946c8125def8b48ac81dd0212
Instruction Fuzzy Hash: C9014BB6A10218BFDF118F69DC44FAA7EEDEB88792F144124F909D6210E775DD40EBA0

Function 0099E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0099E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0099E9A5
Sleep.KERNEL32(00000000), ref: 0099E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0099E9B7
Sleep.KERNEL32 ref: 0099E9F3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 601d563b4f598f97339fe607c894d77989dbf7fea1369ff4212546054a2df22b
Instruction ID: f835c2a4b94a2feba3668ecad8a619a9599b6c0516075d115be0c7f4277d8cfa
Opcode Fuzzy Hash: 601d563b4f598f97339fe607c894d77989dbf7fea1369ff4212546054a2df22b
Instruction Fuzzy Hash: B6015371C19A2DDBCF00EBE9DC59AEDBB78FB08301F050946E902B2241CB349A509BA1

Function 009910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00991114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 0099112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00990B9B,?,?,?), ref: 00991136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0099114D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 3f851d337c08c0e0f056081423c2a1dc26aae23519a90bd28a08be77dff1251f
Instruction ID: 706f1b480b671d6b0fa76d39e92cf8647f2960161d495c044c57e63bdffd523b
Opcode Fuzzy Hash: 3f851d337c08c0e0f056081423c2a1dc26aae23519a90bd28a08be77dff1251f
Instruction Fuzzy Hash: AA01F6B5614206BFDB114BA9DC49E6A3F6EEF893A0B244419FA49D6260DB31DC01AB60

Function 00990FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00990FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00990FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00990FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00990FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00991002

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 50d92a5ef5a40e7a86a1a48fc5ae74caac405eafc73d4b17c18a79b6d7673410
Instruction ID: af953a33d1fd8414faf1e2c14f73249be3f5995036a04607091f526f8b18f190
Opcode Fuzzy Hash: 50d92a5ef5a40e7a86a1a48fc5ae74caac405eafc73d4b17c18a79b6d7673410
Instruction Fuzzy Hash: 17F049B5614302ABDB214FA9AC49F563FADFF89762F144414FA49C6261CA71DC40DB60

Function 00991014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0099102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00991036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00991045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0099104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00991062

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 419dcd0707cb0082d74b73fcd85a176a4f4f2a4e60e428ba5d40306e6ed05c65
Instruction ID: 0c815ceed91297dafc26fc6698cf5c71dee0f2d6a1e003fb5cc69d55ad614996
Opcode Fuzzy Hash: 419dcd0707cb0082d74b73fcd85a176a4f4f2a4e60e428ba5d40306e6ed05c65
Instruction Fuzzy Hash: 9CF06DB5614302EBDB215FA9EC59F563FADFF897A1F140414FA49C7250CA71D8409B60

Function 009A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A0324
CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A0331
CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A033E
CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A034B
CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A0358
CloseHandle.KERNEL32(?,?,?,?,009A017D,?,009A32FC,?,00000001,00972592,?), ref: 009A0365

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 914cf6fbf620a129c07a5fb557b22e939af1e900f85a2103b48843834d9651c0
Instruction ID: be09804f7dd44abfb0d8bb41e96badea92994da71631f80ea897170c94572065
Opcode Fuzzy Hash: 914cf6fbf620a129c07a5fb557b22e939af1e900f85a2103b48843834d9651c0
Instruction Fuzzy Hash: DA01AA72800B159FCB30AF66D880812FBF9BFA13153158A3FD19652931CBB1A998DF80

Function 0096D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0096D752

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 0096D764
_free.LIBCMT ref: 0096D776
_free.LIBCMT ref: 0096D788
_free.LIBCMT ref: 0096D79A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5a91e1c63783b36c2eff252a90e712b63ea5264870a11342d3e214fda79178f4
Instruction ID: 434eff586971569632163f21b1be64215904ab1c5e4f00eeda85d9eadfed0a94
Opcode Fuzzy Hash: 5a91e1c63783b36c2eff252a90e712b63ea5264870a11342d3e214fda79178f4
Instruction Fuzzy Hash: 3BF036B2B55608AB8629EB64FBC5D2677DDBB84750B944C05F058D7501CB30FC80D665

Function 00995C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00995C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00995C6F
MessageBeep.USER32(00000000), ref: 00995C87
KillTimer.USER32(?,0000040A), ref: 00995CA3
EndDialog.USER32(?,00000001), ref: 00995CBD

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5c5cb89f440d2db6b53b3425dd677bf8bad4dc753146e7986cb2d27e7182e71f
Instruction ID: 861e7853052e427ff02f166386e81dce043be966ffedf01fc5927f0c598157d0
Opcode Fuzzy Hash: 5c5cb89f440d2db6b53b3425dd677bf8bad4dc753146e7986cb2d27e7182e71f
Instruction Fuzzy Hash: 0C018170914B04ABFF215B14DF4EFA67BB8BB00B05F010559E687A15E1EBF4A9849F90

Function 009622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009622BE

Part of subcall function 009629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000), ref: 009629DE
Part of subcall function 009629C8: GetLastError.KERNEL32(00000000,?,0096D7D1,00000000,00000000,00000000,00000000,?,0096D7F8,00000000,00000007,00000000,?,0096DBF5,00000000,00000000), ref: 009629F0

_free.LIBCMT ref: 009622D0
_free.LIBCMT ref: 009622E3
_free.LIBCMT ref: 009622F4
_free.LIBCMT ref: 00962305

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eaecd1b08df5f0b404e483217e516bcc5be383e0cd32af3b5d5af94a55c89ddf
Instruction ID: 020ec2780a166b2b9ad16d1e597e52533535f948be797602260feadba017701f
Opcode Fuzzy Hash: eaecd1b08df5f0b404e483217e516bcc5be383e0cd32af3b5d5af94a55c89ddf
Instruction Fuzzy Hash: 6EF05EB0914A298BC716EFD8BE11E983BA8F7987A1B00451AF410D22B1CB310813FFE5

Function 009495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009495D4
StrokeAndFillPath.GDI32(?,?,009871F7,00000000,?,?,?), ref: 009495F0
SelectObject.GDI32(?,00000000), ref: 00949603
DeleteObject.GDI32 ref: 00949616
StrokePath.GDI32(?), ref: 00949631

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 43f3065de6f86daf2d8b36d47fb7d7f830fc36b8b7fbd93ac0b2026647748ee7
Instruction ID: ba2f6de0027c465e92b2161c2d2856726831546e4f1724aa2f557cb29f48b91d
Opcode Fuzzy Hash: 43f3065de6f86daf2d8b36d47fb7d7f830fc36b8b7fbd93ac0b2026647748ee7
Instruction Fuzzy Hash: 0DF0143140A208EBDB22DFA9ED1CFA53F65AB013A2F548214F869550F0C7308993EF20

Function 00960F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009610F9
__freea.LIBCMT ref: 00961117

Part of subcall function 00961537: _free.LIBCMT ref: 0096154F

Strings

a/p, xrefs: 009611DE
am/pm, xrefs: 0096117A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 72a6d5f353226cbb6ea2c7bf81fbe122a24a7b02858f51eeb276fd957e1c84ac
Instruction ID: ddbf301533098bca2d12c6ead5b3230117ddf40f0c8eb7be2d6984c1c0ce98d2
Opcode Fuzzy Hash: 72a6d5f353226cbb6ea2c7bf81fbe122a24a7b02858f51eeb276fd957e1c84ac
Instruction Fuzzy Hash: 65D12431904206DBDB289F68C895BFEB7B9FF46300F2C4559E916AB750E3399D80CB91

Function 009B7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00950242: EnterCriticalSection.KERNEL32(00A0070C,00A01884,?,?,0094198B,00A02518,?,?,?,009312F9,00000000), ref: 0095024D
Part of subcall function 00950242: LeaveCriticalSection.KERNEL32(00A0070C,?,0094198B,00A02518,?,?,?,009312F9,00000000), ref: 0095028A

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 009500A3: __onexit.LIBCMT ref: 009500A9

__Init_thread_footer.LIBCMT ref: 009B7BFB

Part of subcall function 009501F8: EnterCriticalSection.KERNEL32(00A0070C,?,?,00948747,00A02514), ref: 00950202
Part of subcall function 009501F8: LeaveCriticalSection.KERNEL32(00A0070C,?,00948747,00A02514), ref: 00950235

Strings

Variable must be of type 'Object'., xrefs: 009B7C3A
5, xrefs: 009B7C78
G, xrefs: 009B7C7F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 0c1b58e9aa890ebac278ecc99050f2bac5e8dee086edb061d6c234357e3cb5d5
Instruction ID: 3e3d2ba6155fc228050eee130662237bd2b3c0d0eba93b7440a04f2b616a6cdf
Opcode Fuzzy Hash: 0c1b58e9aa890ebac278ecc99050f2bac5e8dee086edb061d6c234357e3cb5d5
Instruction Fuzzy Hash: CB919B70A04209AFCB14EF94DA91EFDBBB5BFC8310F108549F8469B292DB71AE41CB51

Function 00992716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0099B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009921D0,?,?,00000034,00000800,?,00000034), ref: 0099B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00992760

Part of subcall function 0099B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0099B3F8

Part of subcall function 0099B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0099B355
Part of subcall function 0099B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00992194,00000034,?,?,00001004,00000000,00000000), ref: 0099B365
Part of subcall function 0099B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00992194,00000034,?,?,00001004,00000000,00000000), ref: 0099B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0099281A

Strings

@, xrefs: 00992832

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b6d34602c893ab36de1e52d537bb7df922a0cd92be5adaa2a00025b6058bbfe6
Instruction ID: 3648db52835a95886da6698859300a846097e607760c5d9e5e028a357df612e6
Opcode Fuzzy Hash: b6d34602c893ab36de1e52d537bb7df922a0cd92be5adaa2a00025b6058bbfe6
Instruction Fuzzy Hash: 53412972900218BEDF10DBA8D942FEEBBB8AF49300F104095EA55B7191DA716E45DBA1

Function 0096172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00961769
_free.LIBCMT ref: 00961834
_free.LIBCMT ref: 0096183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00961760, 00961767, 00961796, 009617CE

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 0e83552010071910abfdae1c33ea256ea55ab13c628b1387a092c0905319b747
Instruction ID: 73dadb5d02c16e8a24710ef2aae7996cf353c846db0d2fd570d2690e7131d2e2
Opcode Fuzzy Hash: 0e83552010071910abfdae1c33ea256ea55ab13c628b1387a092c0905319b747
Instruction Fuzzy Hash: A0317EB1A04218AFDB21DF99DC85EDEBBFCEB89350F1841AAF804D7211D6708E41CB90

Function 0099C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0099C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0099C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A01990,013A5DB8), ref: 0099C395

Strings

0, xrefs: 0099C2DF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 898c5efcad2bd1bb619dff82c2cb46705c1967c26805d83a7a8dc3614cdcc9cc
Instruction ID: a11e92c8b40c385330507617ecd58debac54078f8f5f80ea8a572f1d6658472b
Opcode Fuzzy Hash: 898c5efcad2bd1bb619dff82c2cb46705c1967c26805d83a7a8dc3614cdcc9cc
Instruction Fuzzy Hash: 8341A3B12083419FDB20DF29DC46F5ABBE8AF85311F148A1DF9A5972D1D770E904CB52

Function 009C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009CCC08,00000000,?,?,?,?), ref: 009C44AA
GetWindowLongW.USER32 ref: 009C44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009C44D7

Strings

SysTreeView32, xrefs: 009C447C

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2f4bd233e0f78bc3c2eead97ec4a47b2f46f52dfec3a078f4bdfc9dd1970dff5
Instruction ID: c3772c4f772019be3d876b0e20deb3afcb52fa2fd951f7b8e159784994460be4
Opcode Fuzzy Hash: 2f4bd233e0f78bc3c2eead97ec4a47b2f46f52dfec3a078f4bdfc9dd1970dff5
Instruction Fuzzy Hash: 2B31AB71A14605AFDB248F38DC45FEA7BA9EB48334F204719F979921E0D770EC509B50

Function 009B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,009B3077,?,?), ref: 009B3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009B307A
_wcslen.LIBCMT ref: 009B309B
htons.WSOCK32(00000000,?,?,00000000), ref: 009B3106

Strings

255.255.255.255, xrefs: 009B3095, 009B309A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: f0a96020a28963db6f9d37a96c57a604cc31876970c0f4aba4238172d039a085
Instruction ID: 1cec906c6afcd63c501cbceb7b500ab8d4ee31c7195d2558d701dae1d9e5a3e9
Opcode Fuzzy Hash: f0a96020a28963db6f9d37a96c57a604cc31876970c0f4aba4238172d039a085
Instruction Fuzzy Hash: FA31D5356042059FC710DF68C685FEA77E8EF54328F64C059E9158B392DB71DE45CB60

Function 009C3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009C3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009C3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 009C3F78

Strings

SysMonthCal32, xrefs: 009C3F0B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: b618f91546e0f3e54921d28815c68c39289a608a7a784a141a84b7fb15e43e9f
Instruction ID: 4861a983ccccf56450473a2366914f26c5907a98112a05daefd80d36274ab18d
Opcode Fuzzy Hash: b618f91546e0f3e54921d28815c68c39289a608a7a784a141a84b7fb15e43e9f
Instruction Fuzzy Hash: 4921B132A10219BBEF158F50CC46FEA3B79EB88714F114218FA156B1D0D6B1A9509B90

Function 009C4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009C4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009C4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009C471A

Strings

msctls_updown32, xrefs: 009C4684

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 00c0908c87c4cdd7e78e1beddff8e9ef5416c9209c36a40905557e9ce9d05cde
Instruction ID: 4f78511e4372f76bd6dcf41d2e2e2511cd0d48e6c50026e1758691f787c8292e
Opcode Fuzzy Hash: 00c0908c87c4cdd7e78e1beddff8e9ef5416c9209c36a40905557e9ce9d05cde
Instruction Fuzzy Hash: 3F2160B5A00209AFDB10DF64DCD1EB737ADEB8A394B040059FA049B351CB30EC52CB61

Function 009995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0099961D

Strings

#notrayicon, xrefs: 009995B7
#OnAutoItStartRegister, xrefs: 009995F3
#requireadmin, xrefs: 009995D9

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: b051219143c1ad623ab579f0dded56d235eec227b5de029aab018c5054264de2
Instruction ID: b74f8612304aa0acef74455284602dd0f323a5f4208b3d5e3b99845ddefe3179
Opcode Fuzzy Hash: b051219143c1ad623ab579f0dded56d235eec227b5de029aab018c5054264de2
Instruction Fuzzy Hash: 2221387210461166DB31AA2D9C16FB7B3AC9FD1314F10442EFD499B081EB55AD45C3D7

Function 009C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009C3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009C3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009C3876

Strings

Listbox, xrefs: 009C380F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: df9e7d6ec915a875fc65ba8cd6c39d9ce1a6c73be0887ed084abadc00fa370de
Instruction ID: a07aafeccdc5079286807460083a120f1127f0150d205a6635b985a53cf9bdb0
Opcode Fuzzy Hash: df9e7d6ec915a875fc65ba8cd6c39d9ce1a6c73be0887ed084abadc00fa370de
Instruction Fuzzy Hash: D5219272A10118BBEF119F55DC85FBB3B6EEF89754F11C118F9049B190C671DC528BA1

Function 009A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009A4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009A4A5C
SetErrorMode.KERNEL32(00000000,?,?,009CCC08), ref: 009A4AD0

Strings

%lu, xrefs: 009A4A6F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 93053901b53e9f9811393d5aaecd517f2578cd636c4b8494ba0979480925960d
Instruction ID: b5f523aa79b22648fe143936d726ee992f9ace1904a2a877bbfcb60e3e1168c5
Opcode Fuzzy Hash: 93053901b53e9f9811393d5aaecd517f2578cd636c4b8494ba0979480925960d
Instruction Fuzzy Hash: 25315375A04109AFDB10DF54C885FAA7BF8EF45308F1480A5F509DB252D771EE45CBA1

Function 009C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009C424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009C4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009C4271

Strings

msctls_trackbar32, xrefs: 009C4226

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d9d4d4bd7252b2a40ccc020b136b636339d58c5d9f55be4107a2e1f851dc5028
Instruction ID: 3f99bfe559c6b414479af1f55e92fc2203983fa25ed8479a1d4ab69d757df523
Opcode Fuzzy Hash: d9d4d4bd7252b2a40ccc020b136b636339d58c5d9f55be4107a2e1f851dc5028
Instruction Fuzzy Hash: AF110631740208BFEF205F69CC46FAB3BACEF95B54F010518FA55E20A0D271DC619B20

Function 00992F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00936B57: _wcslen.LIBCMT ref: 00936B6A

Part of subcall function 00992DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00992DC5
Part of subcall function 00992DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00992DD6
Part of subcall function 00992DA7: GetCurrentThreadId.KERNEL32 ref: 00992DDD
Part of subcall function 00992DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00992DE4

GetFocus.USER32 ref: 00992F78

Part of subcall function 00992DEE: GetParent.USER32(00000000), ref: 00992DF9

GetClassNameW.USER32(?,?,00000100), ref: 00992FC3
EnumChildWindows.USER32(?,0099303B), ref: 00992FEB

Strings

%s%d, xrefs: 00992FFF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 6125b948aa0b332ac97b7ec1acb73ebaa6af9cb566adcdbf7e8610f77a947576
Instruction ID: eaf04fcc1e8a42bbe8332d94e45b291eba717ea66bff32390f5c0872ccbdbf9f
Opcode Fuzzy Hash: 6125b948aa0b332ac97b7ec1acb73ebaa6af9cb566adcdbf7e8610f77a947576
Instruction Fuzzy Hash: 3D1184B16002056BCF147F789D99FED776AAFD4304F048075FA09AB292DE7099459B70

Function 009C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009C58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009C58EE
DrawMenuBar.USER32(?), ref: 009C58FD

Strings

0, xrefs: 009C588F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 8b07713cc7d8f177b9275b5d2cff10f733791c6dc3f5fd1df0dddce944177df5
Instruction ID: 8902851f75161cfead3d813c6ed55aceaf4fc570d5661fa7b395dd47c3f6ee96
Opcode Fuzzy Hash: 8b07713cc7d8f177b9275b5d2cff10f733791c6dc3f5fd1df0dddce944177df5
Instruction Fuzzy Hash: CB015B71914218EFDB219F11DC44FAFBBB8FB85361F108499F849D6161DB349A84EF22

Function 0098D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0098D3BF
FreeLibrary.KERNEL32 ref: 0098D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0098D3B9
X64, xrefs: 0098D2A8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 43db0f85d468b17063a5cb7ab6afb0c980c3ab5788d6cf36ca8b73fc27656983
Instruction ID: 70f19bda5ba7d192907489b4b35fb336fa6967b6e172dc9ac21aec585922291a
Opcode Fuzzy Hash: 43db0f85d468b17063a5cb7ab6afb0c980c3ab5788d6cf36ca8b73fc27656983
Instruction Fuzzy Hash: 77F0E5A1C4B621ABD77236219C54E69BB58AF10701B58895AF80AF63C4DB24CD408793

Function 0099007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e14b931e53045a5772125765b801fac0c07203e6e11cc41a78fac903c1b6039
Instruction ID: 0b9f028aa4530fb39e17ab3f414e7053824967dd36dacfcdb65c1313bc916e4f
Opcode Fuzzy Hash: 1e14b931e53045a5772125765b801fac0c07203e6e11cc41a78fac903c1b6039
Instruction Fuzzy Hash: 4BC13D75A0021AEFDB14CF98C894EAEB7B9FF88704F208598E525EB251D731DD41DB90

Function 00963E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00963F0B
__alldvrm.LIBCMT ref: 0096410C
__alldvrm.LIBCMT ref: 0096412E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 09ae61e61c859c540f1cb18dbed3bb4584288e9ce0591cd3150b0146bdfa67d2
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: CEA18E72E043969FEB25CF58C8917AEBFF8EF66350F15816DE5859B281C2388D81CB50

Function 009B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009B3459
CoUninitialize.OLE32 ref: 009B3463
VariantInit.OLEAUT32(?), ref: 009B346E
VariantClear.OLEAUT32(?), ref: 009B371B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 29d8b0d8fbb9075d46307420f3565355e138a13b9eccc500499d8f47cb2970df
Instruction ID: c37cfd30890cb7ebf6d00760d18c67f7d0886ff97f283183cbe27edeb36bb6fc
Opcode Fuzzy Hash: 29d8b0d8fbb9075d46307420f3565355e138a13b9eccc500499d8f47cb2970df
Instruction Fuzzy Hash: 45A149756046049FCB14DF68C585B6AB7E5FF88724F048859F98A9B362DB30EE01CF91

Function 00990436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009CFC08,?), ref: 009905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009CFC08,?), ref: 00990608
CLSIDFromProgID.OLE32(?,?,00000000,009CCC40,000000FF,?,00000000,00000800,00000000,?,009CFC08,?), ref: 0099062D
_memcmp.LIBVCRUNTIME ref: 0099064E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 37149eab62694c91802e3d75be1c53423be625e41023c70051991f80ba92ea1d
Instruction ID: 58842f13c5b5bc3a8cccc13db2853492294b9c673ced6e4b0ee6886b72f7f81c
Opcode Fuzzy Hash: 37149eab62694c91802e3d75be1c53423be625e41023c70051991f80ba92ea1d
Instruction Fuzzy Hash: 3B81D675A00109AFCF04DF98C984EEEB7B9FF89315F204558F516AB250DB71AE06CB61

Function 009BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009BA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 009BA6BA

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Process32NextW.KERNEL32(00000000,?), ref: 009BA79C
CloseHandle.KERNEL32(00000000), ref: 009BA7AB

Part of subcall function 0094CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00973303,?), ref: 0094CE8A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 712e8efbc393ef886ab05b54e0207a4f3b9d9602613b07eb5e14ca736f26f1cb
Instruction ID: 40a048d5c3a80a37e2d6b330e654335bd2fc1fb74d3521acddb6bb068e898620
Opcode Fuzzy Hash: 712e8efbc393ef886ab05b54e0207a4f3b9d9602613b07eb5e14ca736f26f1cb
Instruction Fuzzy Hash: AE51F8B1508300AFD710EF25C986A6BBBE8FFC9754F40891DF59997261EB70E904CB92

Function 00971391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009714C0

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 70e7fd1b05c885cca27def0d2ab5e5ae31f415105343c9766d4c7a3c61cc8482
Instruction ID: 659c427070642f356149990205a08776e45b6fadcf0d6e9b100978ad1462a74e
Opcode Fuzzy Hash: 70e7fd1b05c885cca27def0d2ab5e5ae31f415105343c9766d4c7a3c61cc8482
Instruction Fuzzy Hash: 8A415D73A00510ABDB25BBFD8C46BBE3AA9EFC1770F14C625F82DD72A1E63449415361

Function 009C6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009C62E2
ScreenToClient.USER32(?,?), ref: 009C6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 009C6382

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 467942bcdc5e61acd09a5d27e739c1fdb61e6ddfd12b15733da3b2fe5e9c72da
Instruction ID: 0f19d8c9fb142f9f53b2bf9d331d78aec2418b7656eb1b1a323b5350473b3190
Opcode Fuzzy Hash: 467942bcdc5e61acd09a5d27e739c1fdb61e6ddfd12b15733da3b2fe5e9c72da
Instruction Fuzzy Hash: CA510874A00249AFDB10DF68D980EAE7BB9EB85360F10816DF8659B2A0D730AD81CB51

Function 009B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009B1AFD
WSAGetLastError.WSOCK32 ref: 009B1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009B1B8A
WSAGetLastError.WSOCK32 ref: 009B1B94

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: bd8463fe4860d6530c0d9f06ec9f758d5c519c1e962f437729931a2b10e80b06
Instruction ID: ac24ed07b581c710964d37ea3ac2b3c9da24ab37823f15fa4503f3c104e0ebb8
Opcode Fuzzy Hash: bd8463fe4860d6530c0d9f06ec9f758d5c519c1e962f437729931a2b10e80b06
Instruction Fuzzy Hash: 3041D274600200AFE720AF24C886F6A7BE5AB84718F54C45CFA1A9F3D3D772DD418B90

Function 0096B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddab5de6aa2bb596895d1fc3cd006c172e05b92c48076bf3d6424949564b6882
Instruction ID: 3a878ec7d3fea290f5c473733bf8da7aeba0b7366c8a788d8dd36b886cd4a790
Opcode Fuzzy Hash: ddab5de6aa2bb596895d1fc3cd006c172e05b92c48076bf3d6424949564b6882
Instruction Fuzzy Hash: C6411972A00714BFD724AF38CC41BAABBEDEFC4720F10852AF556DB691E77199418780

Function 009A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009A5783
GetLastError.KERNEL32(?,00000000), ref: 009A57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009A57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009A57FA

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 64a81e0662be86b6ab6b6b68fda1ddbaf86d5cb24907f0afbabe1f1037057baa
Instruction ID: 1fb3b39a9a24a21fca7fc2955f2a950ed01dd6c854fd310beefec29d575206a2
Opcode Fuzzy Hash: 64a81e0662be86b6ab6b6b68fda1ddbaf86d5cb24907f0afbabe1f1037057baa
Instruction Fuzzy Hash: FB411C79600610DFCB25DF55C444A19BBE5EF89320F198488F84AAB362CB34FD00CF91

Function 0096D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00956D71,00000000,00000000,009582D9,?,009582D9,?,00000001,00956D71,8BE85006,00000001,009582D9,009582D9), ref: 0096D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0096D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0096D9AB
__freea.LIBCMT ref: 0096D9B4

Part of subcall function 00963820: RtlAllocateHeap.NTDLL(00000000,?,00A01444,?,0094FDF5,?,?,0093A976,00000010,00A01440,009313FC,?,009313C6,?,00931129), ref: 00963852

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9aa08d618acc0c04fba7773bf59b45e241582f9334ced42885133cf7a4bd94ad
Instruction ID: d1a2faec3fcc2c06022756d1c36ef81044f073f0c9706610d892c260d8868fbd
Opcode Fuzzy Hash: 9aa08d618acc0c04fba7773bf59b45e241582f9334ced42885133cf7a4bd94ad
Instruction Fuzzy Hash: A431BE72E1220AABDF24DF65DC45EAF7BA9EB41710B054168FC18D7250EB35CD54CBA0

Function 009C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 009C5352
GetWindowLongW.USER32(?,000000F0), ref: 009C5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009C5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009C53A8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: a5185e63d26debb7b5255cf3c4b5c07b1abcdfe0bf9044b2fad180abbc4aaeea
Instruction ID: 6d1bea7f0203fc75712935b53efee9fccea483b72ebe21093c1ef2684510401c
Opcode Fuzzy Hash: a5185e63d26debb7b5255cf3c4b5c07b1abcdfe0bf9044b2fad180abbc4aaeea
Instruction Fuzzy Hash: FA31D230E55A88EFEB309A54CC05FE87769AB043D0F59410AFA10961E2C7B4B9C0EB43

Function 0099AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0099ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0099AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0099AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0099ACC6

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 96e1a5c55e6bee39124d6b0903002c3df5f9c355ed6c35dccc81c68930c464ef
Instruction ID: f2e20a4575be60d3ff5c499a79073fbe6d1405d4d95b77090f0d053125ced3e3
Opcode Fuzzy Hash: 96e1a5c55e6bee39124d6b0903002c3df5f9c355ed6c35dccc81c68930c464ef
Instruction Fuzzy Hash: 0E311270A04218AFEF248B6D8C04BFA7BA9EB89311F04461AE4C59A1D0E379898197D2

Function 009C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009C769A
GetWindowRect.USER32(?,?), ref: 009C7710
PtInRect.USER32(?,?,009C8B89), ref: 009C7720
MessageBeep.USER32(00000000), ref: 009C778C

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f9341bd66e846a44cc306a349156f0d9be4a8d9de606f62d9e74edc25a68018d
Instruction ID: 992c8039ef9c36c0284cdbcb7b9b041ec7462a971eead0fd2a0a70f5eca04eba
Opcode Fuzzy Hash: f9341bd66e846a44cc306a349156f0d9be4a8d9de606f62d9e74edc25a68018d
Instruction Fuzzy Hash: 55417A34E092199FCB01CFA8C894FA9BBF9BB49354F1940ACE8149B261C730A942CF91

Function 009C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009C16EB

Part of subcall function 00993A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00993A57
Part of subcall function 00993A3D: GetCurrentThreadId.KERNEL32 ref: 00993A5E
Part of subcall function 00993A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009925B3), ref: 00993A65

GetCaretPos.USER32(?), ref: 009C16FF
ClientToScreen.USER32(00000000,?), ref: 009C174C
GetForegroundWindow.USER32 ref: 009C1752

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0704dd2cae86bfcc6c488b65f6b2939c1788085e866aaa23c86b737e458eb842
Instruction ID: 325e7f6f008a316953f74136bc1ca3b17e6e64fc65260c3e4afb54e882ed6e23
Opcode Fuzzy Hash: 0704dd2cae86bfcc6c488b65f6b2939c1788085e866aaa23c86b737e458eb842
Instruction Fuzzy Hash: 96313EB5D04149AFCB04EFA9C881DAEBBFDEF89304B5080A9E415E7212D6319E45CFA1

Function 0099DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00937620: _wcslen.LIBCMT ref: 00937625

_wcslen.LIBCMT ref: 0099DFCB
_wcslen.LIBCMT ref: 0099DFE2
_wcslen.LIBCMT ref: 0099E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0099E018

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 234f6a1cb64c8ca9c8c40d680b8e436fcaff9c701d8a827bc4e50681e3063356
Instruction ID: 03385f547a9bf52dcc65b4e0cea1e1ba001d60fad884706743739d1084a2a60c
Opcode Fuzzy Hash: 234f6a1cb64c8ca9c8c40d680b8e436fcaff9c701d8a827bc4e50681e3063356
Instruction Fuzzy Hash: 4321B271D01214AFCF20DFA8D982BAEB7F8EF85750F144065E805BB285D7709E41CBA1

Function 009C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

GetCursorPos.USER32(?), ref: 009C9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00987711,?,?,?,?,?), ref: 009C9016
GetCursorPos.USER32(?), ref: 009C905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00987711,?,?,?), ref: 009C9094

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 18435bd3650913547e05618c303cf6fd77dfad7dbad3e2aaea58f5a793c6e52f
Instruction ID: 9a18372fdcd5671196293891ac44d4f08a3b9cd027d1a900f36dad872f2ed19a
Opcode Fuzzy Hash: 18435bd3650913547e05618c303cf6fd77dfad7dbad3e2aaea58f5a793c6e52f
Instruction Fuzzy Hash: BD21A135A01018EFCB25CF94CC58FFA7BB9EF89350F044059F90547261C3359991EB61

Function 0099D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009CCB68), ref: 0099D2FB
GetLastError.KERNEL32 ref: 0099D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0099D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009CCB68), ref: 0099D376

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: edcea0d21777bfb9657667a9fb9dc6c42ec1cec22fad39db405487f724071745
Instruction ID: b853814cfde0c921004812d41f973a5b3d99c28a0c37f91c23e2d235364ada1c
Opcode Fuzzy Hash: edcea0d21777bfb9657667a9fb9dc6c42ec1cec22fad39db405487f724071745
Instruction Fuzzy Hash: 1F218670509201DF8B10DF68C88296E7BE8EF96369F504A1DF499C72A1D731DD45CB93

Function 00991571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00991014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0099102A
Part of subcall function 00991014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00991036
Part of subcall function 00991014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00991045
Part of subcall function 00991014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0099104C
Part of subcall function 00991014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00991062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009915BE
_memcmp.LIBVCRUNTIME ref: 009915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00991617
HeapFree.KERNEL32(00000000), ref: 0099161E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 766476283ffdc5a15ffde81e667a6ad40baac7551c7a6d6f7b19a83c8692e193
Instruction ID: 3ce6f2cc1f7b8b184171de16af48f49dba1ceb2aa6968bdd06791981cc220da7
Opcode Fuzzy Hash: 766476283ffdc5a15ffde81e667a6ad40baac7551c7a6d6f7b19a83c8692e193
Instruction Fuzzy Hash: 1E219A72E4410AEFDF04DFA9C945BEEB7B8FF84344F094459E445AB241E730AA45DBA0

Function 009C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 009C280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009C2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009C2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009C2840

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a47ebb26c6035a159983632da221ed331f72115f5b0745471d80b6dc7daf5460
Instruction ID: 3d20828a903170179a142ffff568efe4999c6ff5c737746a4674a605596ef8d3
Opcode Fuzzy Hash: a47ebb26c6035a159983632da221ed331f72115f5b0745471d80b6dc7daf5460
Instruction Fuzzy Hash: 5921D331A08611AFD714DB24C884FAA7B99AF85324F14815CF42ACB6E2CB75FC42CB91

Function 009978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00998D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0099790A,?,000000FF,?,00998754,00000000,?,0000001C,?,?), ref: 00998D8C
Part of subcall function 00998D7D: lstrcpyW.KERNEL32(00000000,?,?,0099790A,?,000000FF,?,00998754,00000000,?,0000001C,?,?,00000000), ref: 00998DB2
Part of subcall function 00998D7D: lstrcmpiW.KERNEL32(00000000,?,0099790A,?,000000FF,?,00998754,00000000,?,0000001C,?,?), ref: 00998DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00998754,00000000,?,0000001C,?,?,00000000), ref: 00997923
lstrcpyW.KERNEL32(00000000,?,?,00998754,00000000,?,0000001C,?,?,00000000), ref: 00997949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00998754,00000000,?,0000001C,?,?,00000000), ref: 00997984

Strings

cdecl, xrefs: 0099797B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b30546eb514e92093dbdf2b7f494b4ee057a2e335a9eaff15a0a8dfdd141bd46
Instruction ID: dd6c2e449bd39443ef5138e44c66012c3f492fc6ef3f15045d80ec428f219bc7
Opcode Fuzzy Hash: b30546eb514e92093dbdf2b7f494b4ee057a2e335a9eaff15a0a8dfdd141bd46
Instruction Fuzzy Hash: 6D11227A214302AFCF159F79D844E7BB7A9FF85390B10402AF906CB2A4EF319801D7A1

Function 009C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 009C7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 009C7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009C7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009AB7AD,00000000), ref: 009C7D6B

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 067f03913983a3d6b97e4e24b565c7fbca3ecb8535049d1792f79e56254d14b1
Instruction ID: 4cb69dfbcc262d91ee3646861e586cd199def53506fa1fa6fdf470703f6fa88f
Opcode Fuzzy Hash: 067f03913983a3d6b97e4e24b565c7fbca3ecb8535049d1792f79e56254d14b1
Instruction Fuzzy Hash: 7F11A271918615AFCB109FA8DC04FA67BA9AF453A0F154728F83AC72F0D7309951DF50

Function 009C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009C56BB
_wcslen.LIBCMT ref: 009C56CD
_wcslen.LIBCMT ref: 009C56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 009C5816

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 34e4236d14c214369fd424f9fd637cc4e65b56e019360d31ff4b78e8f3678c98
Instruction ID: b0cdf48eb6eda26bf6453d654a1cf85782b564ba4251a07dcbc87acc09274aff
Opcode Fuzzy Hash: 34e4236d14c214369fd424f9fd637cc4e65b56e019360d31ff4b78e8f3678c98
Instruction Fuzzy Hash: BE11E171E00608A6DF20DFA2CD85FEE77ACAF10764B50446EF905D6081E774AAC4CB62

Function 00961D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dde75ab8579bf0cfb89e0af166d34a728fa3b06f2f9ebda00b77a5933b69f98
Instruction ID: bbe1c23966ec6fd46e11aa00147caf25e6985984e2218409a8c0a8c975f7d7bf
Opcode Fuzzy Hash: 8dde75ab8579bf0cfb89e0af166d34a728fa3b06f2f9ebda00b77a5933b69f98
Instruction Fuzzy Hash: 7601D1B2609A1A3FF7212AB86CD1F67671CDF817B8F380325F531A12D2DB608C006270

Function 00991A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00991A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00991A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00991A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00991A8A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 68be01c31ecaf91efdd1a0ee585698464587721b50ed721ae9462e6f660031dc
Instruction ID: d7968ab9dc11b617c5cb485459d89e31d90c299e96e6f0f475b397205b9088d3
Opcode Fuzzy Hash: 68be01c31ecaf91efdd1a0ee585698464587721b50ed721ae9462e6f660031dc
Instruction Fuzzy Hash: 8F11FA7AD01219FFEF119BA9C985FADBB78FB04750F200091E604B7290D6716E50DB94

Function 0099E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0099E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0099E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0099E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0099E24D

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 1d53300cefa9098994236b147a163bb52646042d005e32a619bf0454b3d26e74
Instruction ID: c31b62e576eff8c11f04f048d41f5e2ee8a697ac99f331c066e522e89c29c262
Opcode Fuzzy Hash: 1d53300cefa9098994236b147a163bb52646042d005e32a619bf0454b3d26e74
Instruction Fuzzy Hash: B111C8B6D08258BBCB01DBEC9C05EDE7FACEB45710F144255F924E7291D670890587A1

Function 0095D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0095CFF9,00000000,00000004,00000000), ref: 0095D218
GetLastError.KERNEL32 ref: 0095D224
__dosmaperr.LIBCMT ref: 0095D22B
ResumeThread.KERNEL32(00000000), ref: 0095D249

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 351d7955bae14a2606e266ebc981f4f4dbb67a76f668c758178fd5212bc45134
Instruction ID: 8cfc7eab2f2a90128c8cae938c1cf8aff503eaa203efecf7cfa9d4970924935b
Opcode Fuzzy Hash: 351d7955bae14a2606e266ebc981f4f4dbb67a76f668c758178fd5212bc45134
Instruction Fuzzy Hash: 8501D27680A204BBCB219BA7DC09BAE7E6DDFC1332F100219FD35961D0DB718909D7A0

Function 009C9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00949BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00949BB2

GetClientRect.USER32(?,?), ref: 009C9F31
GetCursorPos.USER32(?), ref: 009C9F3B
ScreenToClient.USER32(?,?), ref: 009C9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 009C9F7A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7e643efebe219269fb90e750c3d1486a96c40e9fe07c8e4f0df0cac89fd78eb1
Instruction ID: 6bfbb49a806ef5ec616e5373458cb0640260a14d4e65ef1f51da39e7c27caf5b
Opcode Fuzzy Hash: 7e643efebe219269fb90e750c3d1486a96c40e9fe07c8e4f0df0cac89fd78eb1
Instruction Fuzzy Hash: D211157291411AEBDB10DFA8D889EEE7BB9FB45311F400459F911E3151D730BE82DBA2

Function 0093600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0093604C
GetStockObject.GDI32(00000011), ref: 00936060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0093606A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 898191c891dfc1f1c11bd8daa5a4a33c5368cd72282281f405d13266380a5a22
Instruction ID: 7b3ae6e62e327ba2259278d49599d480d89cf3aa7b9d0a6ecf3860e122ba784c
Opcode Fuzzy Hash: 898191c891dfc1f1c11bd8daa5a4a33c5368cd72282281f405d13266380a5a22
Instruction Fuzzy Hash: 35116DB2506509BFEF168FA59C45EEABF6DEF093A4F044215FA1852110D736DC60EFA0

Function 00953B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00953B56

Part of subcall function 00953AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00953AD2
Part of subcall function 00953AA3: ___AdjustPointer.LIBCMT ref: 00953AED

_UnwindNestedFrames.LIBCMT ref: 00953B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00953B7C
CallCatchBlock.LIBVCRUNTIME ref: 00953BA4

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 4a22efc7ca4d54fac952fc4dfdf49e38e3c093de7606a7b64a0b482fed43b10c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 5D014C32100148BBDF129E96CC42EEB3F6DEF88799F048014FE48A6121C732E965DBA0

Function 00963073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009313C6,00000000,00000000,?,0096301A,009313C6,00000000,00000000,00000000,?,0096328B,00000006,FlsSetValue), ref: 009630A5
GetLastError.KERNEL32(?,0096301A,009313C6,00000000,00000000,00000000,?,0096328B,00000006,FlsSetValue,009D2290,FlsSetValue,00000000,00000364,?,00962E46), ref: 009630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0096301A,009313C6,00000000,00000000,00000000,?,0096328B,00000006,FlsSetValue,009D2290,FlsSetValue,00000000), ref: 009630BF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1c6e96d191816f783408d27b5f5a7bdbeb40c6f0c6833495c2ab41636709ebcb
Instruction ID: 939b2df48fc2f87bfd5e5ab8ec7167749f8affe69ea23d3ef6ca0b5b159af603
Opcode Fuzzy Hash: 1c6e96d191816f783408d27b5f5a7bdbeb40c6f0c6833495c2ab41636709ebcb
Instruction Fuzzy Hash: 3A012B72755222ABCB314B79EC44E577B9CEF05BA1B108620F919E3140C731DD09C7E0

Function 00997464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0099747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00997497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009974CA

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2ce63fc0e8b5ff2245e5ca37df1453d1f84b399949422f0ee3bc55f1fea1ca9a
Instruction ID: bef10ecdba7ac7425737b67fbdd35ff45609ee7e5eab76591c8ef0031218dc3f
Opcode Fuzzy Hash: 2ce63fc0e8b5ff2245e5ca37df1453d1f84b399949422f0ee3bc55f1fea1ca9a
Instruction Fuzzy Hash: 7711C4B16193149FEB208F98DC08F92BFFDEF00B00F108969E61AD6162DB74E904DB90

Function 0099B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0099ACD3,?,00008000), ref: 0099B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0099ACD3,?,00008000), ref: 0099B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0099ACD3,?,00008000), ref: 0099B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0099ACD3,?,00008000), ref: 0099B126

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: fd608482660757398f4952d22e56bfac23f42bcbb574ae573d256e9ae22a1c9e
Instruction ID: 19f533ca36e056641c48064606a73d6e2c6d14285b79ca0d80ab4923a7752f1a
Opcode Fuzzy Hash: fd608482660757398f4952d22e56bfac23f42bcbb574ae573d256e9ae22a1c9e
Instruction Fuzzy Hash: CE11AD70C0862CEBCF10AFE9EAA8AEEBF78FF49310F014085D941B2185CB384650DB91

Function 009C7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009C7E33
ScreenToClient.USER32(?,?), ref: 009C7E4B
ScreenToClient.USER32(?,?), ref: 009C7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C7E8A

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e3cba0db39337b923d6bb45f709545416b795de352252630cd2ba0311a8e4cad
Instruction ID: 37f1f2223a7af531f39bfe4549bfe5289881fdf5e28e4814164ddbaf68217512
Opcode Fuzzy Hash: e3cba0db39337b923d6bb45f709545416b795de352252630cd2ba0311a8e4cad
Instruction Fuzzy Hash: 831156B9D0420AAFDB41CF98C984AEEBBF9FF08310F505056E915E3210D735AA55DF51

Function 00992DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00992DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00992DD6
GetCurrentThreadId.KERNEL32 ref: 00992DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00992DE4

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8dab3f46cf05f1cc3a569c8e1173c733c7d018b4c4340d106bcb504b681cb56d
Instruction ID: bd60893a2ee5ad41730e0c85979f095bcf1c3c9db3751211762671c48a558030
Opcode Fuzzy Hash: 8dab3f46cf05f1cc3a569c8e1173c733c7d018b4c4340d106bcb504b681cb56d
Instruction Fuzzy Hash: 2DE092B19192247BDB201B779D0DFEB3E6CEF52BA1F010015F10AD10809AA4C841D7B0

Function 009C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00949639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00949693
Part of subcall function 00949639: SelectObject.GDI32(?,00000000), ref: 009496A2
Part of subcall function 00949639: BeginPath.GDI32(?), ref: 009496B9
Part of subcall function 00949639: SelectObject.GDI32(?,00000000), ref: 009496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 009C8887
LineTo.GDI32(?,?,?), ref: 009C8894
EndPath.GDI32(?), ref: 009C88A4
StrokePath.GDI32(?), ref: 009C88B2

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 709a1fcdfa0a4612c6d3f8573b7de37092f089cf6f2b607aa134bb8b48903c72
Instruction ID: 69432b3417e5269e208fa1876845fd079b3f7e167b584a546d1812bbd43324d0
Opcode Fuzzy Hash: 709a1fcdfa0a4612c6d3f8573b7de37092f089cf6f2b607aa134bb8b48903c72
Instruction Fuzzy Hash: 65F0BE36409218FADF129F94AC09FCE3F19AF06310F448004FA21610E1C7741512DFE6

Function 009498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009498CC
SetTextColor.GDI32(?,?), ref: 009498D6
SetBkMode.GDI32(?,00000001), ref: 009498E9
GetStockObject.GDI32(00000005), ref: 009498F1

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: d0439afbab731ca509e68ea52486b579705e0661dfe728c2e6e746ae293748c8
Instruction ID: c4c85e29f21694b9ba58f9e9da71ceaf1882ca501d32f6a00b03366cc8a4fb61
Opcode Fuzzy Hash: d0439afbab731ca509e68ea52486b579705e0661dfe728c2e6e746ae293748c8
Instruction Fuzzy Hash: EDE09B71A5C280AEDB215B75FC09FE97F15EB11335F188219F6FD540E1C3718640AB10

Function 0099162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00991634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009911D9), ref: 0099163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009911D9), ref: 00991648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009911D9), ref: 0099164F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d60405056e2a79cb0dcb32562670160a758315004d326735422838deeaad2ade
Instruction ID: 08a586a6e831c264d3ec2c8cc3009d0a65e40e43b7d8b40a1d59b2a984295436
Opcode Fuzzy Hash: d60405056e2a79cb0dcb32562670160a758315004d326735422838deeaad2ade
Instruction Fuzzy Hash: 74E086B1E15211DBDB201FA4AD0DF463F7CBF44791F184808F249D9080D7348441D750

Function 0098D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0098D858
GetDC.USER32(00000000), ref: 0098D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0098D882
ReleaseDC.USER32(?), ref: 0098D8A3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 807594fde8449a3515243f23e4d93dae5f852ac25643d4b747263c598e722f92
Instruction ID: 86cddcbebc020e1c04019af38642e730d356d2c6f7be802fc9de494296cd7603
Opcode Fuzzy Hash: 807594fde8449a3515243f23e4d93dae5f852ac25643d4b747263c598e722f92
Instruction Fuzzy Hash: C1E01AF4C14205DFCF41AFA0DA0CA6DBFB1FB08310F148409E84AE7250C7389902AF40

Function 0098D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0098D86C
GetDC.USER32(00000000), ref: 0098D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0098D882
ReleaseDC.USER32(?), ref: 0098D8A3

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 949491cb275fd4e9588cab37c0f56bd8978a9f1fd07d415e77c7466ad4c3f205
Instruction ID: fbb6cafef3fb4597e2621addf303554a0cf34b44e45f3f5968806f9681b620c9
Opcode Fuzzy Hash: 949491cb275fd4e9588cab37c0f56bd8978a9f1fd07d415e77c7466ad4c3f205
Instruction Fuzzy Hash: 9BE092B5C18605EFCF51AFA0DA0CA6DBFB5BB48311F148449E94AE7250CB399902AF50

Function 009A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00937620: _wcslen.LIBCMT ref: 00937625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 009A4ED4

Strings

LPT, xrefs: 009A4DFB
*, xrefs: 009A4E10

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 775d648278a7489bda1a4edaaf23a21a086499f840b93d6ab859c185e933ab02
Instruction ID: c10fbb3a543466c8b0d53489373bd215ed0485204ac5f37de9e8356a575623d4
Opcode Fuzzy Hash: 775d648278a7489bda1a4edaaf23a21a086499f840b93d6ab859c185e933ab02
Instruction Fuzzy Hash: 01914F75A002049FCB14DF58C485EAABBF5BF89308F198099E80A9F362D775ED85CF91

Function 0095E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0095E30D

Strings

pow, xrefs: 0095E2E5, 0095E302

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4b27c22e0f147347331c8e8f0837589319ab0946960a7f918d4017781dce5577
Instruction ID: d626e58f4c99010729be8f808943e16d6b2ecdc14dd3c04b722a51e4de180614
Opcode Fuzzy Hash: 4b27c22e0f147347331c8e8f0837589319ab0946960a7f918d4017781dce5577
Instruction Fuzzy Hash: 9951AE61A1C20296CB1AF759CD01379BB9C9B50746F304D99E8D6432F8EB378DCD9B42

Function 0094E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0094E1B1

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9ba118f5e6aa7a75e73b6b232290a1660a3523160b4dc18f05a80dfae470cdbb
Instruction ID: a533d9f8a7a6885b8b913c489fa23c601377655a5347d1f66e8b35b462a048c8
Opcode Fuzzy Hash: 9ba118f5e6aa7a75e73b6b232290a1660a3523160b4dc18f05a80dfae470cdbb
Instruction Fuzzy Hash: 5F513575A08246DFDB15EF28C4A1AFA7BA8FF55310F248059ECA19B3D0D7749D42CBA0

Function 0094F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0094F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0094F2BB

Strings

@, xrefs: 0094F2AF

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7445afee7ac7c6d90110fd1110abf1df9d74b86886acca4f51522ff0e506ced8
Instruction ID: e9ca09ab8416bc50e8959885da5f30fab7a3a48e877e5794930679e3d1b6d9c3
Opcode Fuzzy Hash: 7445afee7ac7c6d90110fd1110abf1df9d74b86886acca4f51522ff0e506ced8
Instruction Fuzzy Hash: 7C5104B141C7489BD320AF50D886BAFBBF8FBC4300F81885DF199511A5EB719929CB67

Function 009B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009B57E0
_wcslen.LIBCMT ref: 009B57EC

Strings

CALLARGARRAY, xrefs: 009B57E6, 009B57EB

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 94ff7585d67badffd70f45a0684aab9414143682f971e8cebd03b61459cc0a54
Instruction ID: f3d4caf2a11fc08fc1815948e5232f3c3dc81d1d8f4d3f0f524ed28024b42c6b
Opcode Fuzzy Hash: 94ff7585d67badffd70f45a0684aab9414143682f971e8cebd03b61459cc0a54
Instruction Fuzzy Hash: 2541AE71E002099FCB14DFA9C982AFEBBF9FF99324F154029E505A7261E7349D81CB90

Function 009AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009AD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009AD13A

Strings

|, xrefs: 009AD10B

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6779c87e699e1b13b2fa964917e84c1bd0fdd2498e7b137461ed2e2cee53b4a6
Instruction ID: 18cf6058e1895fce5b1b73afdeb3d707a862d15ae19e4de86891e2fea408b900
Opcode Fuzzy Hash: 6779c87e699e1b13b2fa964917e84c1bd0fdd2498e7b137461ed2e2cee53b4a6
Instruction Fuzzy Hash: FC312C71D01209ABCF15EFA5CC85AEEBFBAFF4A300F004019F819A6161D735AA56DF90

Function 009C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009C3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009C365C

Strings

static, xrefs: 009C35BC

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ec48bc854bf15fc52b44aaaf929061252f34e9f89463d02ea6c2ad75382afb94
Instruction ID: 664f7df58026c59d732265dc6c1405ce3b4672f2cc6847e511ce67343666f569
Opcode Fuzzy Hash: ec48bc854bf15fc52b44aaaf929061252f34e9f89463d02ea6c2ad75382afb94
Instruction Fuzzy Hash: C6317871910604AADB109F68D881FFB77ADEF88724F00D61DF9A997280DA31AD81DB61

Function 009C4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 009C461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009C4634

Strings

', xrefs: 009C458E

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 48dbbd6a1a15648636795d570c41693f27f942c63993522925914e96579b7c8a
Instruction ID: 2af20b94f969436dc9d3f017c1bcf05133f041e992c01038aab90143c1752e82
Opcode Fuzzy Hash: 48dbbd6a1a15648636795d570c41693f27f942c63993522925914e96579b7c8a
Instruction Fuzzy Hash: 75310674F0124A9FDB14CFA9C9A0FEABBB9FB49300F14406AE905AB355D770A941CF91

Function 009C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009C327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009C3287

Strings

Combobox, xrefs: 009C3249

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: bb2799ee56615638f3b03db4a3b7c73f1aba710bb191326ab12755014e3c69c5
Instruction ID: d1a748cf0e6b2d1ae8b2d2a760b49cd096ff8e2693bd47a22d21e045b60ccc79
Opcode Fuzzy Hash: bb2799ee56615638f3b03db4a3b7c73f1aba710bb191326ab12755014e3c69c5
Instruction Fuzzy Hash: 6011E271B002087FEF219E94DC80FBB3B6EEB98364F10C128F92897290D6319D518B61

Function 009C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0093600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0093604C
Part of subcall function 0093600E: GetStockObject.GDI32(00000011), ref: 00936060
Part of subcall function 0093600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0093606A

GetWindowRect.USER32(00000000,?), ref: 009C377A
GetSysColor.USER32(00000012), ref: 009C3794

Strings

static, xrefs: 009C3757

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5eca0a0601a7f9b7840933b6cb6c41531181482ee59eb5910e24459a72ed0155
Instruction ID: 6b79b1e17ca0fd64a79b52242c9d61dd04852e453146ff2ea70243786e323489
Opcode Fuzzy Hash: 5eca0a0601a7f9b7840933b6cb6c41531181482ee59eb5910e24459a72ed0155
Instruction Fuzzy Hash: E3113AB2A10209AFDF01DFA8CC46EEA7BF8FB08314F008918F955E2250D735E951DB51

Function 009ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009ACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009ACDA6

Strings

<local>, xrefs: 009ACD66

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fbf83807c4e36da04f1e68bb369580ab696452c4efabe66e9b9406dabb0f464a
Instruction ID: 451510f2cc07c9886534c4e4874f1bc208e4ebaba41951371057121f1bca5e91
Opcode Fuzzy Hash: fbf83807c4e36da04f1e68bb369580ab696452c4efabe66e9b9406dabb0f464a
Instruction Fuzzy Hash: E011CEF1615636BAD7384B668C89EF7BEACEF137A4F00462AB1199B1C0D7749840D6F0

Function 009C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009C34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009C34BA

Strings

edit, xrefs: 009C348F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 47ece43756804b1d6f37d9a0ca8227212f915e39901af0568fd5b68442476400
Instruction ID: 272ca286632317d24f53c71959fdefd9266f349cb6d400de9a34a86fa044f184
Opcode Fuzzy Hash: 47ece43756804b1d6f37d9a0ca8227212f915e39901af0568fd5b68442476400
Instruction Fuzzy Hash: 2B119A71900208AAEB168F64DC80FEB3BAEEB45378F50C728F964931E0C731DD519B62

Function 00996C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

CharUpperBuffW.USER32(?,?,?), ref: 00996CB6
_wcslen.LIBCMT ref: 00996CC2

Strings

STOP, xrefs: 00996CBC, 00996CC1

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 3a8a427b3a4bf280934021bd59a3a44cabe3ccf00e24752381e6d1b208d37932
Instruction ID: fe1747479321e29c991d5ee3922c925f321bd2bac8635263a2ba9cdf3457a27b
Opcode Fuzzy Hash: 3a8a427b3a4bf280934021bd59a3a44cabe3ccf00e24752381e6d1b208d37932
Instruction Fuzzy Hash: C2010432A145268BCF219FBDDC80ABF37A8EBA0710B010924F9A296190FB31E840C750

Function 00991CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00991D4C

Strings

ComboBox, xrefs: 00991CEB
ListBox, xrefs: 00991D16

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1512fede2799986f2573916c42bbb42ef6b8e7a5fa2cd5269f395b6121f31ba5
Instruction ID: 842de6a4a7c561e55b07b282992f6d81980dd52f81f45530393b62976f29e287
Opcode Fuzzy Hash: 1512fede2799986f2573916c42bbb42ef6b8e7a5fa2cd5269f395b6121f31ba5
Instruction Fuzzy Hash: 6C01D871601219AB8F08EFA8CD55EFE77A8FF86350F040919F866572C1EA705908CB60

Function 00991BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00991C46

Strings

ComboBox, xrefs: 00991BE5
ListBox, xrefs: 00991C10

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 88f7131002980970d7516154b89f2fdeadcd4b3358f6a210b4491528877c75bb
Instruction ID: 05af725c1727afa8f9d050f09905c68ebe6c0a6a31c465bcc5c9247b1ad416c8
Opcode Fuzzy Hash: 88f7131002980970d7516154b89f2fdeadcd4b3358f6a210b4491528877c75bb
Instruction Fuzzy Hash: BA01A775A8510967CF05EB94CA52FFF77ACAF91340F140019B99667281FA649E08C7B1

Function 00991C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00991CC8

Strings

ComboBox, xrefs: 00991C69
ListBox, xrefs: 00991C94

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bec6f4c0915140ba4987db39ecaf4d1a207e20a189326d9b1907a211e78d6f5e
Instruction ID: 63d37abfc3890ca828481101dcb9070a913634ed00b152e0309b85030d24344f
Opcode Fuzzy Hash: bec6f4c0915140ba4987db39ecaf4d1a207e20a189326d9b1907a211e78d6f5e
Instruction Fuzzy Hash: 5401D6B5A8011967CF04EBA8CB01FFE77ECAB91340F540415B986B3281FAA19F08C671

Function 00991D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00939CB3: _wcslen.LIBCMT ref: 00939CBD

Part of subcall function 00993CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00993CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00991DD3

Strings

ComboBox, xrefs: 00991D75
ListBox, xrefs: 00991DA0

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0ca57494f4e428df6666c2720652a41f548bf0ebc5602ac0747c2dec8f557892
Instruction ID: b465c70da85d05358762d7bf0cd5be5237acaa57f0b7a9e7dc447d5b778f0493
Opcode Fuzzy Hash: 0ca57494f4e428df6666c2720652a41f548bf0ebc5602ac0747c2dec8f557892
Instruction Fuzzy Hash: AAF0C875B5121967DF04FBA8CD52FFF77BCBF81350F040915F966A72C1EAA059088660

Function 009B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B7493
_wcslen.LIBCMT ref: 009B74B9

Strings

3, 3, 16, 1, xrefs: 009B7483

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 11e8a8f11e00e98def3571d22245c616f91da413620ad70d88ac99dd3a572c46
Instruction ID: 3698d26eee9d5fbd167a76efec35466392adcb459dbb9fc6abb4bf1ee9ed477a
Opcode Fuzzy Hash: 11e8a8f11e00e98def3571d22245c616f91da413620ad70d88ac99dd3a572c46
Instruction Fuzzy Hash: F2E0230160421010527112F7ADC27BFE68FCFC57B27101417FD41C1276D6948DD153A1

Function 00990B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00990B23

Strings

AutoIt, xrefs: 00990B17
Error allocating memory., xrefs: 00990B1C

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 56b9b1c68f24d2ddbe91cc547a6e4795403868cad8451e17a6f8f37792c75848
Instruction ID: ac0d9a24f6af02bafdea127ad809431aeb5d5dd2c9978348171d32ea3f343908
Opcode Fuzzy Hash: 56b9b1c68f24d2ddbe91cc547a6e4795403868cad8451e17a6f8f37792c75848
Instruction Fuzzy Hash: 69E0D8316843083AD61436547C03FC97E848F45B15F10042AFB9C554C38AE1249016A9

Function 00950D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0094F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00950D71,?,?,?,0093100A), ref: 0094F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0093100A), ref: 00950D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0093100A), ref: 00950D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00950D7F

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c5546cadf29abaa3d9e8a278d37a9e7f68d47e1982c01bc8c609cee6ac8725a7
Instruction ID: ec5ebe480e5a3107e3414c8d965c0f91a55e4b5f122140d15d42049894983064
Opcode Fuzzy Hash: c5546cadf29abaa3d9e8a278d37a9e7f68d47e1982c01bc8c609cee6ac8725a7
Instruction Fuzzy Hash: 94E092B06003418BD370DFB9D414B467BF4AF44745F004D2DE896C7691DBB4E449CBA2

Function 009A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 009A302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 009A3044

Strings

aut, xrefs: 009A3038

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 93078e588e6e2fa275f5a1422e345749edd9abd863f71319dd56e9051d18bb7c
Instruction ID: 733cd4d3e6d19c1ceb3976d1ad00659eb3f45a07ff2fe8562d19f45546c0a508
Opcode Fuzzy Hash: 93078e588e6e2fa275f5a1422e345749edd9abd863f71319dd56e9051d18bb7c
Instruction Fuzzy Hash: 1BD05EB290032877DA20E7A4AC0EFDB3E6CDB04750F4002A1B669E2095DAB0D984CBE0

Function 0098D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0098D220

Strings

%.3d, xrefs: 0098D22B
X64, xrefs: 0098D2A8

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8804ea9416ad6ae36bcde7fbb8fe156f2896021c90a9ad0f6cd12f4c2de35319
Instruction ID: a06d23e2df49ddcf3ef0a5821520e6d39fd681687f888945b24e29e511e00119
Opcode Fuzzy Hash: 8804ea9416ad6ae36bcde7fbb8fe156f2896021c90a9ad0f6cd12f4c2de35319
Instruction Fuzzy Hash: 6ED012A1C0A109F9CB50A6D0DC49DB9B37CEB48301F508852F92AA2180D62CD508A761

Function 009C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009C232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009C233F

Part of subcall function 0099E97B: Sleep.KERNEL32 ref: 0099E9F3

Strings

Shell_TrayWnd, xrefs: 009C2325

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 642522ec0f933d851ebcd24f82a1744b3fc522816292fd7ee34045ed796319f6
Instruction ID: 0d6711ff2bfd95b10dfe4fa18974926d0dd8a07d902e24df520777ff7768b546
Opcode Fuzzy Hash: 642522ec0f933d851ebcd24f82a1744b3fc522816292fd7ee34045ed796319f6
Instruction Fuzzy Hash: E7D01276BA8350B7E764B771DD0FFD67E189B40B14F00491AB74AEA1D0C9F4A801DB54

Function 009C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009C236C
PostMessageW.USER32(00000000), ref: 009C2373

Part of subcall function 0099E97B: Sleep.KERNEL32 ref: 0099E9F3

Strings

Shell_TrayWnd, xrefs: 009C2365

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: aaba6563299a803c89bceeaa47002053e8b1d821f590227ea5942a8c2731aac4
Instruction ID: 52ade3d050137ea62f11260829fbbf9a6de06d4d7e5a88e1c82e670d4b955c78
Opcode Fuzzy Hash: aaba6563299a803c89bceeaa47002053e8b1d821f590227ea5942a8c2731aac4
Instruction Fuzzy Hash: CAD0C972B993507AE664B7719D0FFC66A189B44B14F00491AB74AEA1D0C9A4A8019B58

Function 0096BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0096BE93
GetLastError.KERNEL32 ref: 0096BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0096BEFC

Memory Dump Source

Source File: 00000000.00000002.2135342156.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2135306147.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135461400.00000000009F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135545906.00000000009FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135583395.0000000000A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 22143df26d108c4f7c8b98f1b7685c4a3545f4900c11fe1cce9651affc3e6699
Instruction ID: 7ba38d488b2043a4b6cd3eb8f0bf8482b57810fe4565d08751feebba6575aa77
Opcode Fuzzy Hash: 22143df26d108c4f7c8b98f1b7685c4a3545f4900c11fe1cce9651affc3e6699
Instruction Fuzzy Hash: C041F735604206AFCF219FA5CC54BBA7BA9EF41320F144169F959DB1B1FB318D81DBA0

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2310928562.0000021687070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276955606.0000021687533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289492871.0000021687464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136897402.00000216834C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276955606.0000021687533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289492871.0000021687464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136897402.00000216834C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2304023885.000002167C1DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300862319.000002167D5C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2328884251.000002167C4D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2299525662.00000216871C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2138496956.000002167C267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SSF_updateSessionStoreForStoragehttps://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2303548547.000002167C4FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2303548547.000002167C4FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276955606.0000021687533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289492871.0000021687464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136897402.00000216834C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276955606.0000021687533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289492871.0000021687464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136897402.00000216834C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271346820.000002167ED8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3331774996.00000203D7803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271346820.000002167ED8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3331774996.00000203D7803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2326042750.000002167DA76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271346820.000002167ED8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3331774996.00000203D7803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3331774996.00000203D7803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3331774996.00000203D7803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3331774996.00000203D7803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2304023885.000002167C1DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280622229.000002168539E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2323572814.00000216853A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2299525662.00000216871C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329636626.000002167C437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2280622229.000002168539E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2323572814.00000216853A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312088697.000002168539E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2304023885.000002167C1DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304023885.000002167C1A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303548547.000002167C4DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.5:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.5:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50013 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_6717216f-15e1-441b-b447-0b872ed68b3e.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_6717216f-15e1-441b-b447-0b872ed68b3e.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre