Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544263
MD5:	58d65fe21880b28f30ed2e6ec0d16eae
SHA1:	978c517eaf063363c607e651317e7c09bc554659
SHA256:	53e399faf43ee7f53407cbab419be8c08e2aeda88c1e014901451598a5dcd5a7
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 58D65FE21880B28F30ED2E6EC0D16EAE)

taskkill.exe (PID: 7424 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7524 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7588 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7648 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7708 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7772 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7808 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7824 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8072 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24840072-f694-4f48-95a1-da79ede47ec3} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc27c6e310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7452 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38509e27-cf62-4645-91ed-874a587441d6} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc39da2e10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5568 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5196 -prefMapHandle 5344 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b434bde-b94a-4a39-974d-2f8b7ed056e3} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc4178a710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7408	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00EBEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00EBEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EBED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00EBED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00EBEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00EAAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ED9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00ED9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1756110001.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a7f4ba30-5
Source: file.exe, 00000000.00000000.1756110001.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8f348b1f-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2780dbe6-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1e834687-d

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001D26A6FA0F7 NtQuerySystemInformation,		16_2_000001D26A6FA0F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001D26A813EF2 NtQuerySystemInformation,		16_2_000001D26A813EF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00EAD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EA1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00EAE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E48060	0_2_00E48060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB2046	0_2_00EB2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA8298	0_2_00EA8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7E4FF	0_2_00E7E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7676B	0_2_00E7676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED4873	0_2_00ED4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4CAF0	0_2_00E4CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6CAA0	0_2_00E6CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5CC39	0_2_00E5CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E76DD9	0_2_00E76DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5D071	0_2_00E5D071
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E491C0	0_2_00E491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5B119	0_2_00E5B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E61394	0_2_00E61394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E61706	0_2_00E61706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6781B	0_2_00E6781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E619B0	0_2_00E619B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5997D	0_2_00E5997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E47920	0_2_00E47920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E67A4A	0_2_00E67A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E67CA7	0_2_00E67CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E61C77	0_2_00E61C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E79EEE	0_2_00E79EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECBE44	0_2_00ECBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E61F32	0_2_00E61F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001D26A6FA0F7	16_2_000001D26A6FA0F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001D26A813EF2	16_2_000001D26A813EF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001D26A813F32	16_2_000001D26A813F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001D26A81461C	16_2_000001D26A81461C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E5F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E60A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB37B5 GetLastError,FormatMessageW,

0_2_00EB37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA10BF AdjustTokenPrivileges,CloseHandle,		0_2_00EA10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EA16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00EB51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00EAD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00EB648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E442A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.2010900178.000001DC38F05000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe	ReversingLabs: Detection: 47%
Source: file.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24840072-f694-4f48-95a1-da79ede47ec3} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc27c6e310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38509e27-cf62-4645-91ed-874a587441d6} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc39da2e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5196 -prefMapHandle 5344 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b434bde-b94a-4a39-974d-2f8b7ed056e3} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc4178a710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24840072-f694-4f48-95a1-da79ede47ec3} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc27c6e310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38509e27-cf62-4645-91ed-874a587441d6} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc39da2e10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5196 -prefMapHandle 5344 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b434bde-b94a-4a39-974d-2f8b7ed056e3} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc4178a710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1980134881.000001DC3BE01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1985587845.000001DC374AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1981914232.000001DC374A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1985587845.000001DC374AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1984983412.000001DC374A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1981914232.000001DC374A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1982928061.000001DC3BE01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1980134881.000001DC3BE01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1984983412.000001DC374A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1982928061.000001DC3BE01000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E442DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E60A76 push ecx; ret

0_2_00E60A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E5F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00ED1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-92996

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001D26A6FA0F7 rdtsc

16_2_000001D26A6FA0F7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB68EE FindFirstFileW,FindClose,	0_2_00EB68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00EB698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EAD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EAD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EB9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EB979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00EB9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00EB5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E442DE

Source: firefox.exe, 0000000F.00000002.3030750976.0000023E49F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: firefox.exe, 0000000F.00000002.3030750976.0000023E49F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: firefox.exe, 0000000F.00000002.3030750976.0000023E49F00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3022816615.0000023E4982A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3030410318.000001D26AE60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3023337030.000001DEDFBCA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3029808034.000001DEDFE80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3029517843.0000023E49E21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3030410318.000001D26AE60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000010.00000002.3023248884.000001D26A63A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@f

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001D26A6FA0F7 rdtsc

16_2_000001D26A6FA0F7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EBEAA2 BlockInput,

0_2_00EBEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E72622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E64CE8 mov eax, dword ptr fs:[00000030h]

0_2_00E64CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00EA0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E72622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E6083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E609D5 SetUnhandledExceptionFilter,	0_2_00E609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E60C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E60C21

Source: C:\Users\user\Desktop\file.exe

0_2_00EA1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E82BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E82BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAB226 SendInput,keybd_event,

0_2_00EAB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00EC22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00EA0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00EA1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E60698 cpuid

0_2_00E60698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00EB8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E9D27A GetUserNameW,

0_2_00E9D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E7BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E7BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E442DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7408, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7408, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00EC1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00EC1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	42%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggestabout	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.1.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	172.217.16.206	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	216.58.206.46	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000010.00000002.3026057540.000001D26A9C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3024074006.000001DEDFDC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	firefox.exe, 0000000D.00000003.1983100826.000001DC3746B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1946226908.000001DC38A3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988149042.000001DC402E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876749161.000001DC3A3C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907697807.000001DC402E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874536384.000001DC3A3B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995455179.000001DC402E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972864114.000001DC402E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3025099273.0000023E49CE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3026057540.000001D26A9F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3030099904.000001DEE0003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1843431777.000001DC3FB50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841991981.000001DC3FB50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930524584.000001DC3FB4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3024074006.000001DEDFD8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.2010900178.000001DC38F05000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1996862670.000001DC3FF7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907892372.000001DC3FF73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973312282.000001DC3FF73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.o	firefox.exe, 0000000D.00000003.1920539261.000001DC390C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928438402.000001DC390C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.2003852250.000001DC393C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.2009485624.000001DC38FC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1861029345.000001DC3FAF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microso	firefox.exe, 0000000D.00000003.1963702167.000001DC37462000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1861029345.000001DC3FA88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845848327.000001DC3FA88000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1975155286.000001DC3FA6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910270574.000001DC3FA5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1997454350.000001DC3FA5C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1972967841.000001DC3FFDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867686366.000001DC394FA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1912019753.000001DC3AF6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977088922.000001DC3AF6C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1809381554.000001DC3775A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809216582.000001DC3773C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809751063.000001DC37777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808855133.000001DC37500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809023052.000001DC3771F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1992344287.000001DC3F91A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1972967841.000001DC3FFEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.2010900178.000001DC38F05000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3025099273.0000023E49CE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3026057540.000001D26A9F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3030099904.000001DEE0003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoom/p	firefox.exe, 0000000D.00000003.1963702167.000001DC37462000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1909653941.000001DC3FC8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2006263659.000001DC3FF73000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1968695763.000001DC4219D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3025099273.0000023E49CE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3026057540.000001D26A9F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3030099904.000001DEE0003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1909653941.000001DC3FC8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3026057540.000001D26A903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3024074006.000001DEDFD0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1883591887.000001DC38479000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900851525.000001DC38470000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900371022.000001DC3845F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1996862670.000001DC3FF7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907892372.000001DC3FF73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973312282.000001DC3FF73000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1902131284.000001DC436ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990292744.000001DC436EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000010.00000002.3026057540.000001D26A9C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3024074006.000001DEDFDC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1883591887.000001DC38465000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900371022.000001DC3845F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1966173131.000001DC39135000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958680045.000001DC39137000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1990337607.000001DC436A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990292744.000001DC436EF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.2004064042.000001DC393AD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1968695763.000001DC4219D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000010.00000002.3026057540.000001D26A95F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3026057540.000001D26A912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3024074006.000001DEDFD13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.comA	firefox.exe, 0000000D.00000003.2003129464.000001DC39B9F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1996862670.000001DC3FF7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907892372.000001DC3FF73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973312282.000001DC3FF73000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1902131284.000001DC43698000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 0000000F.00000002.3025099273.0000023E49C73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1861029345.000001DC3FA88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845848327.000001DC3FA88000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1907892372.000001DC3FFDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995641462.000001DC3FFDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972967841.000001DC3FFDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1845056266.000001DC3FC62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861029345.000001DC3FACD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946786395.000001DC389C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817798565.000001DC37CE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977935737.000001DC3AF44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974847134.000001DC3FC37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842751563.000001DC3FBC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924729281.000001DC39563000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930524584.000001DC3FBB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816077217.000001DC389ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971792150.000001DC419B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961277233.000001DC3913F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924729281.000001DC395D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845056266.000001DC3FC37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873665701.000001DC389C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1935194545.000001DC391B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905833626.000001DC419B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843482359.000001DC3FB34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909986237.000001DC3FC37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1993782323.000001DC3B2DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951266406.000001DC3A31B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1912019753.000001DC3AF6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977088922.000001DC3AF6C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000D.00000003.1911486846.000001DC3F9F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863330204.000001DC3F9F6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1912019753.000001DC3AF6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913641858.000001DC3A5C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1978377096.000001DC3A5C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977088922.000001DC3AF6C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1911486846.000001DC3F9F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976119898.000001DC3F9F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988912780.000001DC3F9F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863330204.000001DC3F9F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2006848973.000001DC3F9F6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1910060471.000001DC3FC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1978377096.000001DC3A5D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1910060471.000001DC3FC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1978377096.000001DC3A5D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1907892372.000001DC3FFDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995641462.000001DC3FFDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972967841.000001DC3FFDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1843431777.000001DC3FB50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930524584.000001DC3FB4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1975155286.000001DC3FA6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910270574.000001DC3FA5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1997454350.000001DC3FA5C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1996021064.000001DC3FF8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907892372.000001DC3FF73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973312282.000001DC3FF73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1975155286.000001DC3FA6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910270574.000001DC3FA5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1997454350.000001DC3FA5C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1907892372.000001DC3FF73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1812337411.000001DC36F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812063369.000001DC36F19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811302196.000001DC36F33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1883591887.000001DC38465000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.2010076699.000001DC38F88000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1999342061.000001DC3AF80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912019753.000001DC3AF6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977088922.000001DC3AF7C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1883591887.000001DC38479000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883591887.000001DC38465000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900851525.000001DC38470000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884122789.000001DC38481000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900798668.000001DC38487000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900311963.000001DC38485000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900371022.000001DC3845F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1812337411.000001DC36F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812063369.000001DC36F19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811302196.000001DC36F33000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1902131284.000001DC436ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990292744.000001DC436EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3025099273.0000023E49CE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3026057540.000001D26A9F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3030099904.000001DEE0003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1845056266.000001DC3FC62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3024200565.0000023E499C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3023860553.000001D26A670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028998963.000001DEDFE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.16.206	youtube.com	United States	15169	GOOGLEUS	false
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544263
Start date and time:	2024-10-29 06:58:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.11.191.138, 35.160.212.113, 54.185.230.140, 2.22.61.56, 2.22.61.59, 216.58.212.142, 88.221.134.209, 88.221.134.155, 142.250.186.78, 142.250.186.74, 172.217.18.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7824 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:59:15	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	Salary_Structure_Benefits_for_Sebastien.daveauIyNURVhUTlVNUkFORE9NMTkjIw==.html	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	https://api.inspectrealestate.com.au/email/track?eta=1&t=B32-5UARLGTXC6GHXC7PJPHCGUP7HMF6FJEQ76L6MOL7WYB6P6EYQNBONANBBGKOXFRO3HPDET5TXGOZXG5FJNMJJC437YUYUWDF5VEVIWPK6LECEZJV3OMRCXF6VI76ZOGYOFIOERVACTHYB4KHK22IKKEWLYPTUBLONXLA7QVY2SW2TZMW4ULVG2UAKDR3DM3RL4TTJAF3F3ROXQ3ZLRVYS7Z2T4TIQETEEUV73V42AQLF65YKSUX6JMYEW3ZHXPREAMXXBOQV32GKOYOISFZKX4GPTPR2IMSMCULLR2V4QUSMU3MWF7NQ%3D%3D%3D%3D	Get hash	malicious	Unknown	Browse	157.240.0.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	http://prabal-gupta-lcatterton-com.athuselevadores.com.br/	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://apollomicsinc-my.sharepoint.com/:u:/p/peony_yu/EThcAjzaTWNPs4NpIP1X0v0BUe4pmKNB9s6TANBDk5EDeA?rtime=8VndtY_33Eg	Get hash	malicious	HtmlDropper	Browse	151.101.130.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	Salary_Structure_Benefits_for_Sebastien.daveauIyNURVhUTlVNUkFORE9NMTkjIw==.html	Get hash	malicious	HTMLPhisher	Browse	151.101.193.44
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2a8e31d2-c61f-4da1-9ef7-265c5bccd399.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177627146644169
Encrypted:	false
SSDEEP:	192:HjMXjfocbhbVbTbfbRbObtbyEl7nArwJA6WnSrDtTUd/SkDrh:HYkcNhnzFSJgrjBnSrDhUd/L
MD5:	FBFC9E536E6364936901A5DFD5137B1E
SHA1:	397EE2EC025EEF365C91E1E1ECDA22601704A688
SHA-256:	E1AF1CC9234D1DEDF878DFB71F9126045DC162A905836BD019088DABB95013E3
SHA-512:	27784F7B235D0BD1AC291B5C761419E7B0B30DDEC8D8BC42CC91A649246AC8872C7F95EB23F45ACE5C4E0EDE9278AC2A206EF259AB0B1550E950695870F9C083
Malicious:	false
Preview:	{"type":"uninstall","id":"2a8e31d2-c61f-4da1-9ef7-265c5bccd399","creationDate":"2024-10-29T07:01:45.783Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2a8e31d2-c61f-4da1-9ef7-265c5bccd399.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177627146644169
Encrypted:	false
SSDEEP:	192:HjMXjfocbhbVbTbfbRbObtbyEl7nArwJA6WnSrDtTUd/SkDrh:HYkcNhnzFSJgrjBnSrDhUd/L
MD5:	FBFC9E536E6364936901A5DFD5137B1E
SHA1:	397EE2EC025EEF365C91E1E1ECDA22601704A688
SHA-256:	E1AF1CC9234D1DEDF878DFB71F9126045DC162A905836BD019088DABB95013E3
SHA-512:	27784F7B235D0BD1AC291B5C761419E7B0B30DDEC8D8BC42CC91A649246AC8872C7F95EB23F45ACE5C4E0EDE9278AC2A206EF259AB0B1550E950695870F9C083
Malicious:	false
Preview:	{"type":"uninstall","id":"2a8e31d2-c61f-4da1-9ef7-265c5bccd399","creationDate":"2024-10-29T07:01:45.783Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.924851457033801
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLIv58P:8S+OBIUjOdwiOdYVjjwLIB8P
MD5:	C8F43318507EDAC352FD5BF5B05CDBB1
SHA1:	4B1093C93EF491D9DE1AB52572A73DB7B5341255
SHA-256:	B2910CE219C550888958A721F21517166A96D9559C1ADB13B476ED8C39FD3AC6
SHA-512:	83E447D19B7C2C36C172D5E02BD56DEF37BBEAEFA326CE03E1D097C8E09C47087F27733D85D41FAFBC17928F74875EF507D67B2EFB14A1743492AEC42A44C344
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.924851457033801
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLIv58P:8S+OBIUjOdwiOdYVjjwLIB8P
MD5:	C8F43318507EDAC352FD5BF5B05CDBB1
SHA1:	4B1093C93EF491D9DE1AB52572A73DB7B5341255
SHA-256:	B2910CE219C550888958A721F21517166A96D9559C1ADB13B476ED8C39FD3AC6
SHA-512:	83E447D19B7C2C36C172D5E02BD56DEF37BBEAEFA326CE03E1D097C8E09C47087F27733D85D41FAFBC17928F74875EF507D67B2EFB14A1743492AEC42A44C344
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07324043695196004
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	B586AC75F0340FAAA5D4EF81B81AB107
SHA1:	DE6141684A4C2DD9B5ACE95CBE48AFCDDABD2525
SHA-256:	818D946DFDA104EB49A49D51A16409239DCF6BB1CDEE21486081C35865D968F4
SHA-512:	E019B8713A15865E2973684CB0FDA72B84BCB91433257A8885C9A657C2DE16BF799645529ED9E8598274E71AE05C5F571E70BB7678516224BB957976B3F98FF0
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035822017202226504
Encrypted:	false
SSDEEP:	3:GtlstFKb0CtrYlstFKb0Ctx/llT89//alEl:GtWtI4CpYWtI4CjD89XuM
MD5:	5797EF8A32644DDAF14EF256A1524BC1
SHA1:	615CD3642BEAC40E85BA9D635B1E9E4B0744B1FC
SHA-256:	037A45B6CD6FE3797B9E181A2E1C1EEBD6D299DC0797E1643566459DD224518B
SHA-512:	4265AB5F472E8F4F137E85D501B6755ECAFCC700D16E1E14F9E92B6304BA389E1ECFF724536A322010E7D13A1F68D52F06A54D5C4A1049A429A8517FF34051E7
Malicious:	false
Preview:	..-......................X....@...j...lDag.3T....-......................X....@...j...lDag.3T..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.04001911727921433
Encrypted:	false
SSDEEP:	3:Ol1Lwm/lo3DmPll8rEXsxdwhml8XW3R2:KSWyzmPll8dMhm93w
MD5:	7672D9F74B449AE46D09BDF0BEDBCFD5
SHA1:	B2B8787876C58C4E4BE71AC80B50F412C64C66FF
SHA-256:	990CD0C0B6C0CD8E217D143E4DDE31DD5125D2CCAD6B224DC71EB37EB6B98AE8
SHA-512:	391AF4E5DE3DF60343614FFD5321C04DC8561A8490593AFE669D4B27F1A55FBDFFFDA1AB77DBB57F135D32F9ED7E22F52C8646827F428EB63D18C9B678C46AD5
Malicious:	false
Preview:	7....-............j...lD.1....j4..........j...lD..X..@..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49461998089112
Encrypted:	false
SSDEEP:	192:MnaRtLYbBp66hj4qyaaXB6K1+NoXM5RfGNBw8daSl:heEq3Oqekcw90
MD5:	EBCD0DB4E1B6492308597F08365B8F48
SHA1:	D8169406B842962F70FF2CC7237A9325158CCBF4
SHA-256:	104B5C8F5B9DBC34B0DE30540822C41998B9D482B97F909998DBC81C1A361DD2
SHA-512:	914DC8C3136815E04FF5C73B9071DD3B7A25F5D1EE934764D7E039725D6C033BD50B38C5EA814D54A9FEBBEE61DAB83CB75CE9A67A50AF7A9403C7DA200F7EF1
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730185276);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730185276);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730185276);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173018

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49461998089112
Encrypted:	false
SSDEEP:	192:MnaRtLYbBp66hj4qyaaXB6K1+NoXM5RfGNBw8daSl:heEq3Oqekcw90
MD5:	EBCD0DB4E1B6492308597F08365B8F48
SHA1:	D8169406B842962F70FF2CC7237A9325158CCBF4
SHA-256:	104B5C8F5B9DBC34B0DE30540822C41998B9D482B97F909998DBC81C1A361DD2
SHA-512:	914DC8C3136815E04FF5C73B9071DD3B7A25F5D1EE934764D7E039725D6C033BD50B38C5EA814D54A9FEBBEE61DAB83CB75CE9A67A50AF7A9403C7DA200F7EF1
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730185276);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730185276);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730185276);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173018

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.334909291903576
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSyPLXnIg7b/pnxQwRlszT5sKt0M3eHVQj6TDamhujJlOsIomNVruDO:GUpOxtPTVnR6d3eHTD4JlI4R4
MD5:	558E1F83CD04D5E56A46E49FFA85128F
SHA1:	E361FE916756C386DA6684211BEFCCF84A140E2B
SHA-256:	ED819EFA3F56D46C4A037CA00AC0572B7BD651A0B79DF9E24585168A0EC40FC0
SHA-512:	42301069CC157F0F376812E8F0BBB93750F76EDEF94E2396E30C0AA2803B7C1292A8180D65CE6DF52608890AFCFE575451EE9A2A0B746AA91374FA470168431A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{e7f25059-e8d0-4a4d-95fb-7d3788995261}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730185282188,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P45548...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...52884,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.334909291903576
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSyPLXnIg7b/pnxQwRlszT5sKt0M3eHVQj6TDamhujJlOsIomNVruDO:GUpOxtPTVnR6d3eHTD4JlI4R4
MD5:	558E1F83CD04D5E56A46E49FFA85128F
SHA1:	E361FE916756C386DA6684211BEFCCF84A140E2B
SHA-256:	ED819EFA3F56D46C4A037CA00AC0572B7BD651A0B79DF9E24585168A0EC40FC0
SHA-512:	42301069CC157F0F376812E8F0BBB93750F76EDEF94E2396E30C0AA2803B7C1292A8180D65CE6DF52608890AFCFE575451EE9A2A0B746AA91374FA470168431A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{e7f25059-e8d0-4a4d-95fb-7d3788995261}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730185282188,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P45548...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...52884,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.334909291903576
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSyPLXnIg7b/pnxQwRlszT5sKt0M3eHVQj6TDamhujJlOsIomNVruDO:GUpOxtPTVnR6d3eHTD4JlI4R4
MD5:	558E1F83CD04D5E56A46E49FFA85128F
SHA1:	E361FE916756C386DA6684211BEFCCF84A140E2B
SHA-256:	ED819EFA3F56D46C4A037CA00AC0572B7BD651A0B79DF9E24585168A0EC40FC0
SHA-512:	42301069CC157F0F376812E8F0BBB93750F76EDEF94E2396E30C0AA2803B7C1292A8180D65CE6DF52608890AFCFE575451EE9A2A0B746AA91374FA470168431A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{e7f25059-e8d0-4a4d-95fb-7d3788995261}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730185282188,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P45548...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...52884,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033218951381489
Encrypted:	false
SSDEEP:	48:YrSAYcT6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yccTyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	5832F33ED63EDEDCC48916592610580D
SHA1:	FEE16318955FBA81C5B79E53D7812FDA7D4797BC
SHA-256:	9111B570DBF1CC7E4FB1300F9EEEC5E363D63C9C29FFA124D2211AEB93D9AE92
SHA-512:	5C7F6DBED1E17F4B5FF68E407E224808ABB4F70602E3ACF81B7938460FAA6E6EA75D2550594DB908DB6EC1F28E1D309A3756445AEDB1B07F752184004C344E55
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T07:01:03.893Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033218951381489
Encrypted:	false
SSDEEP:	48:YrSAYcT6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yccTyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	5832F33ED63EDEDCC48916592610580D
SHA1:	FEE16318955FBA81C5B79E53D7812FDA7D4797BC
SHA-256:	9111B570DBF1CC7E4FB1300F9EEEC5E363D63C9C29FFA124D2211AEB93D9AE92
SHA-512:	5C7F6DBED1E17F4B5FF68E407E224808ABB4F70602E3ACF81B7938460FAA6E6EA75D2550594DB908DB6EC1F28E1D309A3756445AEDB1B07F752184004C344E55
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T07:01:03.893Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584674320083043
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	58d65fe21880b28f30ed2e6ec0d16eae
SHA1:	978c517eaf063363c607e651317e7c09bc554659
SHA256:	53e399faf43ee7f53407cbab419be8c08e2aeda88c1e014901451598a5dcd5a7
SHA512:	50e24aa9bb98982f04e30662ac21585598377ee2f768d5dc22ec954a978862ff93dc5ce2dd38badce5874c483534f9daf8421bc67f0bc2f76d3da61faa97ad48
SSDEEP:	12288:BqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Th:BqDEvCTbMWu7rQYlBQcBiT6rprG8abh
TLSH:	23159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x672078C4 [Tue Oct 29 05:55:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F4708CF2D43h
jmp 00007F4708CF264Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4708CF282Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4708CF27FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F4708CF53EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F4708CF5438h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F4708CF5421h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	91acbfb11faffcf51f03b3f3ad370af7	False	0.31561511075949367	data	5.373882232923884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 06:59:10.839696884 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:10.839726925 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:10.842216015 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:10.850064993 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:10.850085020 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:11.678318024 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:11.678402901 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:11.686216116 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:11.686223030 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:11.686347008 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:11.686526060 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:11.686630011 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:13.168585062 CET	49738	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:13.168617964 CET	443	49738	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:13.173240900 CET	49739	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:13.173274040 CET	443	49739	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:13.177117109 CET	49739	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:13.177141905 CET	49738	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:13.178553104 CET	49738	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:13.178569078 CET	443	49738	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:13.180006027 CET	49739	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:13.180021048 CET	443	49739	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:13.214875937 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:13.220169067 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:13.229769945 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:13.229964018 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:13.235560894 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:13.761811972 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:13.761833906 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:13.764189959 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:13.765688896 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:13.765702963 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:13.800995111 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:13.801054955 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:13.801470995 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:13.802840948 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:13.802894115 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:13.803141117 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:13.803169012 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:13.803586006 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:13.803720951 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:13.803741932 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:13.833723068 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:13.884655952 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.006911993 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.012440920 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:14.012523890 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.012680054 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.017920017 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:14.053469896 CET	443	49739	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.054465055 CET	443	49739	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.057013035 CET	49739	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.057025909 CET	443	49739	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.058491945 CET	49739	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.062345982 CET	49739	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.062361002 CET	443	49739	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.062444925 CET	49739	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.062562943 CET	443	49739	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.063318014 CET	49739	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.087486982 CET	443	49738	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.087524891 CET	443	49738	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.088198900 CET	49738	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.089087009 CET	443	49738	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.089257002 CET	49738	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.092525005 CET	49738	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.092533112 CET	443	49738	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.092641115 CET	49738	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.092802048 CET	443	49738	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.092988968 CET	49745	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.093009949 CET	443	49745	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.093082905 CET	49738	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.093111038 CET	49745	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.094674110 CET	49745	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.094690084 CET	443	49745	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.117279053 CET	49746	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.117304087 CET	443	49746	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:14.117362976 CET	49746	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.132200956 CET	49746	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.132215977 CET	443	49746	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:14.378897905 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.391341925 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.391376019 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.398297071 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.398313999 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.398420095 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.398468018 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.398801088 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.398844004 CET	443	49748	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.398964882 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.398988008 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.399027109 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.400552988 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.400567055 CET	443	49748	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.424932957 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:14.425304890 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.430242062 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:14.431350946 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.431385994 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.448333025 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:14.448376894 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:14.448574066 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:14.450454950 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.472290993 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:14.472385883 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:14.472455978 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:14.490991116 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:14.500623941 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.500653028 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.500740051 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.501163006 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.501200914 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.501255989 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.511188984 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.511236906 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.512834072 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:14.512855053 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:14.607667923 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:14.652354956 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.751101017 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.751147032 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.754018068 CET	443	49746	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:14.758730888 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:14.758759022 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:14.759351015 CET	443	49746	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:14.773329020 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.773350000 CET	49746	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.773391962 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.781397104 CET	49746	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.781407118 CET	443	49746	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:14.782274008 CET	443	49746	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:14.783421993 CET	49746	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.783572912 CET	49746	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.783797979 CET	443	49746	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:14.783931971 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.783953905 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:14.784015894 CET	49746	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.784015894 CET	49746	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.784615993 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.784852982 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:14.784862995 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:14.900002003 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.905551910 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:14.909687042 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.909898043 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:14.915283918 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:14.970257044 CET	443	49745	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.971251011 CET	443	49745	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.975184917 CET	49745	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.975203037 CET	443	49745	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.982733965 CET	49745	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.982750893 CET	443	49745	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.982841969 CET	49745	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.982929945 CET	443	49745	172.217.16.206	192.168.2.4
Oct 29, 2024 06:59:14.983297110 CET	49745	443	192.168.2.4	172.217.16.206
Oct 29, 2024 06:59:14.997876883 CET	443	49748	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:15.001029015 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.005059004 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.005074024 CET	443	49748	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:15.005116940 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.005235910 CET	443	49748	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:15.005976915 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.140080929 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:15.140098095 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:15.148271084 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.397634983 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:15.397706985 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:15.407989025 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:15.408004045 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:15.408727884 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:15.412158966 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.412187099 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:15.412240982 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.412339926 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:15.412390947 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:15.412739038 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 06:59:15.412756920 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:15.419672012 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 06:59:15.419702053 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.505482912 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:15.551774025 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:15.723167896 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.723237038 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:15.728101015 CET	49755	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:15.731688023 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.733182907 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:15.733217001 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:15.733599901 CET	80	49755	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:15.734124899 CET	49755	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:15.734286070 CET	49755	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:15.739638090 CET	80	49755	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:15.903915882 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:15.909473896 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:16.030961037 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:16.091017962 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:16.220397949 CET	49755	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:16.228611946 CET	80	49755	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:16.231494904 CET	49755	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:16.339648962 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:16.339660883 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:16.340033054 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:16.346932888 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:16.346946955 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:16.347079992 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:16.347100973 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:16.347575903 CET	49756	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:16.347595930 CET	443	49756	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:16.347636938 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:16.347831011 CET	49756	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:16.349761963 CET	49756	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:16.349769115 CET	443	49756	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:16.380053997 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:16.580750942 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:16.580835104 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:16.581018925 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:16.586285114 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:16.705677032 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:16.714025021 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:16.830208063 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:16.892350912 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:16.957758904 CET	443	49756	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:16.963326931 CET	443	49756	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:16.975390911 CET	49756	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:16.993979931 CET	49756	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:17.018299103 CET	49756	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:17.018306971 CET	443	49756	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:17.018408060 CET	49756	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:17.018449068 CET	443	49756	34.117.188.166	192.168.2.4
Oct 29, 2024 06:59:17.034554005 CET	49756	443	192.168.2.4	34.117.188.166
Oct 29, 2024 06:59:17.177587986 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:17.236622095 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:19.089176893 CET	49758	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:19.089227915 CET	443	49758	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:19.091022968 CET	49758	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:19.092240095 CET	49758	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:19.092272043 CET	443	49758	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:19.135020971 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:19.136518002 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:19.141258001 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:19.143088102 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:19.150563955 CET	49759	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:19.150607109 CET	443	49759	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:19.153739929 CET	49759	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:19.155123949 CET	49759	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:19.155148983 CET	443	49759	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:19.260624886 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:19.262348890 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:19.305444956 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:19.306022882 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:19.708651066 CET	443	49758	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:19.719348907 CET	443	49758	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:19.720603943 CET	49758	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:19.776246071 CET	443	49759	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:19.777923107 CET	49759	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:20.488671064 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:20.488706112 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:20.491010904 CET	49758	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:20.491082907 CET	443	49758	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:20.491117954 CET	49758	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:20.491221905 CET	49759	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:20.491251945 CET	443	49759	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:20.491297960 CET	49759	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:20.491426945 CET	443	49758	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:20.491839886 CET	443	49759	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:20.492822886 CET	49758	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:20.492836952 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:20.492865086 CET	49759	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:20.492993116 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:20.493016005 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:20.520438910 CET	49761	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:20.520472050 CET	443	49761	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:20.523370981 CET	49761	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:20.524786949 CET	49761	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:20.524806023 CET	443	49761	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:21.809565067 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:21.809647083 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:21.812271118 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:21.812283039 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:21.812607050 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:21.814383984 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:21.814459085 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:21.814543962 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:21.814749956 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:21.815047026 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:21.823726892 CET	443	49761	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:21.823987961 CET	49761	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:21.828265905 CET	49761	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:21.828274965 CET	443	49761	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:21.828345060 CET	49761	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:21.828538895 CET	443	49761	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:21.829699039 CET	49761	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:24.142841101 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:24.142869949 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:24.142937899 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:24.144356012 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:24.144370079 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:24.261760950 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:24.267255068 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:24.336673021 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:24.555867910 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:24.557398081 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:24.562791109 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:24.562808037 CET	443	49766	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:24.563195944 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:24.564754009 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:24.564769030 CET	443	49766	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:24.608252048 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:24.611802101 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:24.612756968 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:24.676299095 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:24.724234104 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:24.741475105 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:24.747529984 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:24.770014048 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:24.770207882 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:24.773834944 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:24.773843050 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:24.773907900 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:24.774202108 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:24.777540922 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:24.878912926 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:24.924679995 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:25.159508944 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:25.163593054 CET	443	49766	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:25.164714098 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:25.165007114 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:25.258697033 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:25.258721113 CET	443	49766	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:25.258778095 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:25.258856058 CET	443	49766	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:25.258955956 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:25.284840107 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:25.325885057 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:25.800055981 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:25.805408001 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:25.925036907 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:25.965491056 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:27.145348072 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:27.146744013 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.146770954 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:27.147727966 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.149151087 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.149166107 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:27.150712967 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:27.270028114 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:27.316189051 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:27.501091957 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:27.502973080 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.503045082 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:27.503318071 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.503336906 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:27.503602982 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.503681898 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.503743887 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.503752947 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:27.503843069 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.503855944 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:27.506433964 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:27.626069069 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:27.670527935 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:27.770442963 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:27.770592928 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.973923922 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.973947048 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:27.974045992 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.974124908 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:27.975851059 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:27.976639986 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:27.982218981 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:28.101470947 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:28.118043900 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:28.118113041 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:28.127010107 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:28.134448051 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:28.156397104 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:29.462392092 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:29.462405920 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:29.462658882 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:29.466548920 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:29.466620922 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:29.466856956 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:29.466897964 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:29.469661951 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:29.469743013 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:29.469827890 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:29.469830036 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:29.469882011 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:29.469999075 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 06:59:29.471452951 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:29.471462965 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:29.471477985 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:29.471507072 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 06:59:29.472203016 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:29.591825008 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:29.633178949 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:30.196842909 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:30.202303886 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:30.207221031 CET	49773	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:30.207247019 CET	443	49773	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:30.220748901 CET	49773	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:30.222198009 CET	49773	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:30.222208977 CET	443	49773	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:30.321646929 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:30.324577093 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:30.329989910 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:30.374305964 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:30.449888945 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:30.490226030 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:30.827970028 CET	443	49773	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:30.827984095 CET	443	49773	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:30.828061104 CET	49773	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:30.833492041 CET	49773	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:30.833498955 CET	443	49773	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:30.833574057 CET	49773	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:30.833642960 CET	443	49773	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:30.834602118 CET	49773	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:30.836450100 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:30.841809034 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:30.960973978 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:30.964257956 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:30.969661951 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:31.007311106 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:31.089454889 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:31.134953022 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:39.751174927 CET	49774	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:39.751189947 CET	443	49774	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:39.754564047 CET	49774	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:39.754760981 CET	49774	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:39.754781008 CET	443	49774	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:39.777057886 CET	49775	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:39.777085066 CET	443	49775	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:39.777328968 CET	49775	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:39.777518034 CET	49775	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:39.777532101 CET	443	49775	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:39.783767939 CET	49776	443	192.168.2.4	151.101.1.91
Oct 29, 2024 06:59:39.783798933 CET	443	49776	151.101.1.91	192.168.2.4
Oct 29, 2024 06:59:39.784234047 CET	49776	443	192.168.2.4	151.101.1.91
Oct 29, 2024 06:59:39.784485102 CET	49776	443	192.168.2.4	151.101.1.91
Oct 29, 2024 06:59:39.784501076 CET	443	49776	151.101.1.91	192.168.2.4
Oct 29, 2024 06:59:39.796567917 CET	49777	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:39.796613932 CET	443	49777	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:39.804084063 CET	49777	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:39.810981035 CET	49777	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:39.810993910 CET	443	49777	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:39.816186905 CET	49778	443	192.168.2.4	35.201.103.21
Oct 29, 2024 06:59:39.816207886 CET	443	49778	35.201.103.21	192.168.2.4
Oct 29, 2024 06:59:39.824955940 CET	49778	443	192.168.2.4	35.201.103.21
Oct 29, 2024 06:59:39.826405048 CET	49778	443	192.168.2.4	35.201.103.21
Oct 29, 2024 06:59:39.826415062 CET	443	49778	35.201.103.21	192.168.2.4
Oct 29, 2024 06:59:40.358964920 CET	443	49774	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:40.359055042 CET	49774	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.362312078 CET	49774	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.362318993 CET	443	49774	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:40.362517118 CET	443	49774	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:40.364805937 CET	49774	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.364902020 CET	49774	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.364948034 CET	443	49774	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:40.365355015 CET	49774	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.368743896 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:40.375118971 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:40.391155958 CET	443	49776	151.101.1.91	192.168.2.4
Oct 29, 2024 06:59:40.391243935 CET	49776	443	192.168.2.4	151.101.1.91
Oct 29, 2024 06:59:40.394234896 CET	49776	443	192.168.2.4	151.101.1.91
Oct 29, 2024 06:59:40.394246101 CET	443	49776	151.101.1.91	192.168.2.4
Oct 29, 2024 06:59:40.394459009 CET	443	49776	151.101.1.91	192.168.2.4
Oct 29, 2024 06:59:40.396558046 CET	49776	443	192.168.2.4	151.101.1.91
Oct 29, 2024 06:59:40.396651030 CET	49776	443	192.168.2.4	151.101.1.91
Oct 29, 2024 06:59:40.396689892 CET	443	49776	151.101.1.91	192.168.2.4
Oct 29, 2024 06:59:40.398541927 CET	443	49775	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:40.404192924 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.404226065 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:40.405458927 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.405481100 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:40.406064034 CET	49776	443	192.168.2.4	151.101.1.91
Oct 29, 2024 06:59:40.406105995 CET	49775	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:40.406161070 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.406215906 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.409123898 CET	49775	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:40.409137011 CET	443	49775	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:40.409471035 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.409485102 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:40.409585953 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.409595013 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:40.409888029 CET	443	49775	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:40.411528111 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.411552906 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:40.412350893 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.412529945 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:40.412544966 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:40.413366079 CET	49775	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:40.413470030 CET	49775	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:40.413753986 CET	443	49775	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:40.413892984 CET	49775	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:40.418775082 CET	443	49777	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:40.418792009 CET	443	49777	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:40.418859959 CET	49777	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:40.423182011 CET	49777	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:40.423196077 CET	443	49777	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:40.423274040 CET	49777	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:40.423401117 CET	443	49777	35.190.72.216	192.168.2.4
Oct 29, 2024 06:59:40.423743010 CET	49777	443	192.168.2.4	35.190.72.216
Oct 29, 2024 06:59:40.494932890 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:40.498316050 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:40.503751993 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:40.542747021 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:40.623719931 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:40.652302027 CET	443	49778	35.201.103.21	192.168.2.4
Oct 29, 2024 06:59:40.652314901 CET	443	49778	35.201.103.21	192.168.2.4
Oct 29, 2024 06:59:40.657085896 CET	49778	443	192.168.2.4	35.201.103.21
Oct 29, 2024 06:59:40.665201902 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:40.666418076 CET	49778	443	192.168.2.4	35.201.103.21
Oct 29, 2024 06:59:40.666423082 CET	443	49778	35.201.103.21	192.168.2.4
Oct 29, 2024 06:59:40.666524887 CET	49778	443	192.168.2.4	35.201.103.21
Oct 29, 2024 06:59:40.666539907 CET	443	49778	35.201.103.21	192.168.2.4
Oct 29, 2024 06:59:40.666686058 CET	49778	443	192.168.2.4	35.201.103.21
Oct 29, 2024 06:59:40.669667959 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:40.675015926 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:40.678935051 CET	49782	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:40.678955078 CET	443	49782	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:40.679023027 CET	49782	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:40.679209948 CET	49782	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:40.679223061 CET	443	49782	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:40.794207096 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:40.796875954 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:40.802273035 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:40.843521118 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:40.870527029 CET	49783	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:40.870556116 CET	443	49783	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:40.871228933 CET	49783	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:40.872694969 CET	49783	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:40.872706890 CET	443	49783	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:40.922087908 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:40.966005087 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:41.007253885 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.007333994 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.010555029 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.010565042 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.010854006 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.013689995 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.013689995 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.013889074 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.017659903 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:41.018023014 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.018534899 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.018848896 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.021171093 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.021177053 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.021365881 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.023732901 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.024189949 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.024255037 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.024326086 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.026667118 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.035355091 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.035578012 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.038196087 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.038212061 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.038418055 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.041012049 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.041042089 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.041137934 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 06:59:41.041302919 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 06:59:41.142085075 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.146680117 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:41.153947115 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.197818041 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:41.273619890 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.300183058 CET	443	49782	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:41.300283909 CET	49782	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:41.307159901 CET	49782	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:41.307168961 CET	443	49782	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:41.307493925 CET	443	49782	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:41.309628010 CET	49782	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:41.309705019 CET	49782	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:41.309812069 CET	443	49782	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:41.314359903 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:41.319354057 CET	443	49782	34.149.100.209	192.168.2.4
Oct 29, 2024 06:59:41.319677114 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.321748972 CET	49782	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:41.321768999 CET	49782	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:41.321768999 CET	49782	443	192.168.2.4	34.149.100.209
Oct 29, 2024 06:59:41.321809053 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:41.638503075 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.641319990 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:41.642143011 CET	443	49783	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:41.642281055 CET	49783	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:41.646662951 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.647269011 CET	49783	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:41.647277117 CET	443	49783	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:41.647340059 CET	49783	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:41.647466898 CET	443	49783	34.107.243.93	192.168.2.4
Oct 29, 2024 06:59:41.648375988 CET	49783	443	192.168.2.4	34.107.243.93
Oct 29, 2024 06:59:41.649549007 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:41.654875994 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.766252995 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.774386883 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.777818918 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:41.783128023 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.829922915 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:41.902976990 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:41.945831060 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:51.789655924 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:51.795062065 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 06:59:51.905575037 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 06:59:51.911163092 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:01.827429056 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:01.832863092 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:01.854907036 CET	49807	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:01.854927063 CET	443	49807	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:01.855320930 CET	49807	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:01.856702089 CET	49807	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:01.856715918 CET	443	49807	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:01.927731991 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:01.932997942 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:02.462963104 CET	443	49807	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:02.463043928 CET	49807	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:02.467444897 CET	49807	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:02.467462063 CET	443	49807	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:02.467545033 CET	49807	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:02.467596054 CET	443	49807	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:02.469047070 CET	49807	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:02.470041037 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:02.475452900 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:02.595563889 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:02.598364115 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:02.603800058 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:02.645356894 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:02.723268032 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:02.776899099 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:05.289625883 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:05.295252085 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:05.414249897 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:05.417917013 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:05.423228025 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:05.469033957 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:05.542879105 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:05.600584984 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:09.260421991 CET	49849	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.260457039 CET	443	49849	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.261039972 CET	49849	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.261204958 CET	49849	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.261220932 CET	443	49849	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.292273998 CET	49850	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.292347908 CET	443	49850	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.292640924 CET	49850	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.292787075 CET	49850	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.292805910 CET	443	49850	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.294162989 CET	49851	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.294178009 CET	443	49851	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.294287920 CET	49851	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.294399977 CET	49851	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.294413090 CET	443	49851	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.903532982 CET	443	49851	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.903656006 CET	49851	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.906959057 CET	49851	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.906968117 CET	443	49851	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.907280922 CET	443	49851	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.909607887 CET	49851	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.909713030 CET	49851	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.909821033 CET	443	49851	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.909884930 CET	49851	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.921202898 CET	443	49850	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.921317101 CET	49850	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.924395084 CET	49850	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.924416065 CET	443	49850	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.924666882 CET	443	49850	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.927162886 CET	49850	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.927263975 CET	49850	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.927310944 CET	443	49850	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.928443909 CET	49850	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.928443909 CET	49850	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.932060003 CET	443	49849	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.932121038 CET	49849	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.935029030 CET	49849	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.935039043 CET	443	49849	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.935242891 CET	443	49849	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.937486887 CET	49849	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.937572002 CET	49849	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.937606096 CET	443	49849	34.120.208.123	192.168.2.4
Oct 29, 2024 07:00:09.937700987 CET	49849	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.937701941 CET	49849	443	192.168.2.4	34.120.208.123
Oct 29, 2024 07:00:09.949367046 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:09.954808950 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:11.023011923 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:11.023818970 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:11.024234056 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:11.029019117 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:11.031395912 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:11.072144032 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:11.077650070 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:11.196901083 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:11.243710995 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:21.034028053 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:21.200150967 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:21.859345913 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:21.859383106 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:31.876563072 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:31.876573086 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:31.882117987 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:31.882162094 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:41.884596109 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:41.884596109 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:41.890209913 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:41.890252113 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:42.498348951 CET	50005	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:42.498430014 CET	443	50005	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:42.498889923 CET	50005	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:42.500384092 CET	50005	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:42.500421047 CET	443	50005	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:43.107574940 CET	443	50005	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:43.115330935 CET	443	50005	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:43.115750074 CET	50005	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:43.121658087 CET	50005	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:43.121685028 CET	443	50005	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:43.121751070 CET	50005	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:43.121838093 CET	443	50005	34.107.243.93	192.168.2.4
Oct 29, 2024 07:00:43.124530077 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:43.125324965 CET	50005	443	192.168.2.4	34.107.243.93
Oct 29, 2024 07:00:43.129901886 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:43.249166965 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:43.252664089 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:43.258054972 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:43.288475990 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:43.378298044 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:43.420038939 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:53.270653963 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:53.276205063 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:00:53.386472940 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:00:53.391937017 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:01:03.291105986 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:01:03.296736956 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:01:03.406737089 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:01:03.412187099 CET	80	49757	34.107.221.82	192.168.2.4
Oct 29, 2024 07:01:13.306785107 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:01:13.313204050 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 07:01:13.422619104 CET	49757	80	192.168.2.4	34.107.221.82
Oct 29, 2024 07:01:13.428246975 CET	80	49757	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 06:59:10.841408014 CET	59253	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:10.849684000 CET	53	59253	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:10.853559017 CET	63874	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:10.861450911 CET	53	63874	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.155782938 CET	50349	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.156255007 CET	54397	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.163266897 CET	53	50349	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.170137882 CET	50036	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.173621893 CET	64145	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.177824974 CET	53	50036	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.181566000 CET	53	64145	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.190768003 CET	64246	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.190995932 CET	56015	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.198719978 CET	53	64246	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.198741913 CET	53	56015	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.752819061 CET	55637	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.760255098 CET	53	55637	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.761995077 CET	65174	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.769536018 CET	53	65174	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.782362938 CET	62235	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.790100098 CET	53	62235	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.792613029 CET	53151	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.800290108 CET	53	53151	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.801372051 CET	62311	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.804366112 CET	64655	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.809485912 CET	53	62311	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.811676979 CET	53	64655	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.812587023 CET	54795	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.813256979 CET	51417	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.821079969 CET	53	51417	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.821094990 CET	53	54795	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.888720989 CET	52088	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.889309883 CET	52045	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:13.896373987 CET	53	52088	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.896601915 CET	53	52045	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:13.997457027 CET	51736	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:14.108889103 CET	49755	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:14.116031885 CET	53	49755	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:14.117453098 CET	54414	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:14.125478029 CET	53	54414	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:14.126014948 CET	50690	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:14.133271933 CET	53	50690	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:15.467109919 CET	65315	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:15.493839025 CET	53	49475	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:16.736486912 CET	50550	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:16.746687889 CET	53	50550	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:16.760387897 CET	57845	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:16.767610073 CET	53	57845	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:16.768827915 CET	55731	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:16.776165962 CET	53	55731	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:19.095885038 CET	55348	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:19.104518890 CET	53	55348	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:19.105196953 CET	63962	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:19.115483999 CET	53	63962	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:19.116017103 CET	63692	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:19.123931885 CET	53	63692	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:19.150713921 CET	55458	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:19.159015894 CET	53	55458	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:19.166748047 CET	60707	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:19.172719955 CET	58782	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:19.174355984 CET	53	60707	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:19.179785013 CET	53	58782	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:20.495017052 CET	60382	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:20.502736092 CET	53	60382	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:20.520601034 CET	50863	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:20.528543949 CET	53	50863	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:20.534107924 CET	60258	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:20.541625977 CET	53	60258	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:24.338116884 CET	61110	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:24.558474064 CET	53	61110	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.703871012 CET	57587	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.704304934 CET	62891	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.704809904 CET	60903	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.713419914 CET	53	57587	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.713918924 CET	53	60903	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.714087963 CET	53	62891	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.714143991 CET	61337	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.714822054 CET	63216	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.714874983 CET	50939	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.723202944 CET	53	61337	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.724186897 CET	53	63216	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.724281073 CET	58329	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.724354029 CET	53	50939	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.724888086 CET	58765	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.725661039 CET	63178	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.733963013 CET	53	58329	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.734296083 CET	53	58765	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.734968901 CET	53	63178	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.739653111 CET	50450	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.740364075 CET	62177	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.749041080 CET	53	50450	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.749511957 CET	53	62177	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.749747992 CET	59106	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.750245094 CET	62655	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.760319948 CET	53	59106	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.760334015 CET	53	62655	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.762051105 CET	53777	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.762738943 CET	52549	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:27.769460917 CET	53	53777	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:27.770241976 CET	53	52549	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:30.206754923 CET	62363	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:30.214279890 CET	53	62363	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:30.223445892 CET	56935	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:30.231225014 CET	53	56935	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:39.751532078 CET	49338	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:39.758737087 CET	53	49338	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:39.759385109 CET	64428	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:39.766946077 CET	53	64428	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:39.773694992 CET	61994	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:39.781692982 CET	53	61994	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:39.784158945 CET	49544	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:39.792279005 CET	53	49544	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:39.792831898 CET	54290	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:39.800519943 CET	53	54290	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:39.801412106 CET	62099	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:39.809514046 CET	53	62099	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:39.816710949 CET	52039	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:39.824928045 CET	53	52039	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:39.841455936 CET	58549	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:39.851780891 CET	53	58549	1.1.1.1	192.168.2.4
Oct 29, 2024 06:59:40.870675087 CET	49615	53	192.168.2.4	1.1.1.1
Oct 29, 2024 06:59:40.878640890 CET	53	49615	1.1.1.1	192.168.2.4
Oct 29, 2024 07:00:01.846518993 CET	57825	53	192.168.2.4	1.1.1.1
Oct 29, 2024 07:00:01.853966951 CET	53	57825	1.1.1.1	192.168.2.4
Oct 29, 2024 07:00:01.854660988 CET	62299	53	192.168.2.4	1.1.1.1
Oct 29, 2024 07:00:01.862184048 CET	53	62299	1.1.1.1	192.168.2.4
Oct 29, 2024 07:00:02.470280886 CET	60278	53	192.168.2.4	1.1.1.1
Oct 29, 2024 07:00:09.260353088 CET	59616	53	192.168.2.4	1.1.1.1
Oct 29, 2024 07:00:09.310281038 CET	53	59616	1.1.1.1	192.168.2.4
Oct 29, 2024 07:00:42.489012003 CET	57341	53	192.168.2.4	1.1.1.1
Oct 29, 2024 07:00:42.497338057 CET	53	57341	1.1.1.1	192.168.2.4
Oct 29, 2024 07:00:42.498262882 CET	59615	53	192.168.2.4	1.1.1.1
Oct 29, 2024 07:00:42.505860090 CET	53	59615	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 06:59:10.841408014 CET	192.168.2.4	1.1.1.1	0x1935	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:10.853559017 CET	192.168.2.4	1.1.1.1	0x9f3c	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 06:59:13.155782938 CET	192.168.2.4	1.1.1.1	0xa018	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.156255007 CET	192.168.2.4	1.1.1.1	0x100	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.170137882 CET	192.168.2.4	1.1.1.1	0x88d3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.173621893 CET	192.168.2.4	1.1.1.1	0x2b79	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.190768003 CET	192.168.2.4	1.1.1.1	0xbf6c	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 29, 2024 06:59:13.190995932 CET	192.168.2.4	1.1.1.1	0x9acf	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 06:59:13.752819061 CET	192.168.2.4	1.1.1.1	0xb4c	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.761995077 CET	192.168.2.4	1.1.1.1	0x506	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.782362938 CET	192.168.2.4	1.1.1.1	0x450d	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 06:59:13.792613029 CET	192.168.2.4	1.1.1.1	0xb7bd	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.801372051 CET	192.168.2.4	1.1.1.1	0xf506	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.804366112 CET	192.168.2.4	1.1.1.1	0x3277	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.812587023 CET	192.168.2.4	1.1.1.1	0xacc0	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 06:59:13.813256979 CET	192.168.2.4	1.1.1.1	0x5e02	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 06:59:13.888720989 CET	192.168.2.4	1.1.1.1	0x7812	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.889309883 CET	192.168.2.4	1.1.1.1	0x3adb	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.997457027 CET	192.168.2.4	1.1.1.1	0x6e7a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:14.108889103 CET	192.168.2.4	1.1.1.1	0x6c5b	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:14.117453098 CET	192.168.2.4	1.1.1.1	0x1e7e	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:14.126014948 CET	192.168.2.4	1.1.1.1	0xe8a4	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 06:59:15.467109919 CET	192.168.2.4	1.1.1.1	0xc8af	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:16.736486912 CET	192.168.2.4	1.1.1.1	0x772	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:16.760387897 CET	192.168.2.4	1.1.1.1	0xd376	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:16.768827915 CET	192.168.2.4	1.1.1.1	0xec02	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 06:59:19.095885038 CET	192.168.2.4	1.1.1.1	0x1ab	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:19.105196953 CET	192.168.2.4	1.1.1.1	0x27a4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:19.116017103 CET	192.168.2.4	1.1.1.1	0xbb64	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 06:59:19.150713921 CET	192.168.2.4	1.1.1.1	0x117	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:19.166748047 CET	192.168.2.4	1.1.1.1	0x4cad	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 06:59:19.172719955 CET	192.168.2.4	1.1.1.1	0x40ae	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 06:59:20.495017052 CET	192.168.2.4	1.1.1.1	0xcd9f	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:20.520601034 CET	192.168.2.4	1.1.1.1	0x715c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:20.534107924 CET	192.168.2.4	1.1.1.1	0xac6f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 06:59:24.338116884 CET	192.168.2.4	1.1.1.1	0x600e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 06:59:27.703871012 CET	192.168.2.4	1.1.1.1	0xfdcd	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.704304934 CET	192.168.2.4	1.1.1.1	0xf1c	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.704809904 CET	192.168.2.4	1.1.1.1	0x68b2	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.714143991 CET	192.168.2.4	1.1.1.1	0x168f	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.714822054 CET	192.168.2.4	1.1.1.1	0x5275	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.714874983 CET	192.168.2.4	1.1.1.1	0xa393	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.724281073 CET	192.168.2.4	1.1.1.1	0xcaaf	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 29, 2024 06:59:27.724888086 CET	192.168.2.4	1.1.1.1	0xfd8	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 29, 2024 06:59:27.725661039 CET	192.168.2.4	1.1.1.1	0x7e3	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 29, 2024 06:59:27.739653111 CET	192.168.2.4	1.1.1.1	0x3964	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.740364075 CET	192.168.2.4	1.1.1.1	0xf941	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.749747992 CET	192.168.2.4	1.1.1.1	0x9b8e	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.750245094 CET	192.168.2.4	1.1.1.1	0x7a13	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.762051105 CET	192.168.2.4	1.1.1.1	0x7c77	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 29, 2024 06:59:27.762738943 CET	192.168.2.4	1.1.1.1	0xa688	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 29, 2024 06:59:30.206754923 CET	192.168.2.4	1.1.1.1	0x8e23	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:30.223445892 CET	192.168.2.4	1.1.1.1	0xa02f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 06:59:39.751532078 CET	192.168.2.4	1.1.1.1	0x7240	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.759385109 CET	192.168.2.4	1.1.1.1	0x5ec8	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 06:59:39.773694992 CET	192.168.2.4	1.1.1.1	0xa0ad	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.784158945 CET	192.168.2.4	1.1.1.1	0xc90d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.792831898 CET	192.168.2.4	1.1.1.1	0x2eec	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 29, 2024 06:59:39.801412106 CET	192.168.2.4	1.1.1.1	0x737a	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.816710949 CET	192.168.2.4	1.1.1.1	0x224b	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.841455936 CET	192.168.2.4	1.1.1.1	0x3882	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 06:59:40.870675087 CET	192.168.2.4	1.1.1.1	0x6afe	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 07:00:01.846518993 CET	192.168.2.4	1.1.1.1	0xbfb1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 07:00:01.854660988 CET	192.168.2.4	1.1.1.1	0xb1be	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 07:00:02.470280886 CET	192.168.2.4	1.1.1.1	0xcc99	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 07:00:09.260353088 CET	192.168.2.4	1.1.1.1	0xf630	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 07:00:42.489012003 CET	192.168.2.4	1.1.1.1	0x63be	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 07:00:42.498262882 CET	192.168.2.4	1.1.1.1	0xb828	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 06:59:10.816000938 CET	1.1.1.1	192.168.2.4	0x1169	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:10.849684000 CET	1.1.1.1	192.168.2.4	0x1935	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.163266897 CET	1.1.1.1	192.168.2.4	0xa018	No error (0)	youtube.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.163669109 CET	1.1.1.1	192.168.2.4	0x100	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:13.163669109 CET	1.1.1.1	192.168.2.4	0x100	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.177824974 CET	1.1.1.1	192.168.2.4	0x88d3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.181566000 CET	1.1.1.1	192.168.2.4	0x2b79	No error (0)	youtube.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.198719978 CET	1.1.1.1	192.168.2.4	0xbf6c	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 29, 2024 06:59:13.198741913 CET	1.1.1.1	192.168.2.4	0x9acf	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 06:59:13.760255098 CET	1.1.1.1	192.168.2.4	0xb4c	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.769536018 CET	1.1.1.1	192.168.2.4	0x506	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.800290108 CET	1.1.1.1	192.168.2.4	0xb7bd	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:13.800290108 CET	1.1.1.1	192.168.2.4	0xb7bd	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.800632000 CET	1.1.1.1	192.168.2.4	0x617d	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:13.800632000 CET	1.1.1.1	192.168.2.4	0x617d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.809485912 CET	1.1.1.1	192.168.2.4	0xf506	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.811676979 CET	1.1.1.1	192.168.2.4	0x3277	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.896373987 CET	1.1.1.1	192.168.2.4	0x7812	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.896601915 CET	1.1.1.1	192.168.2.4	0x3adb	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:13.896601915 CET	1.1.1.1	192.168.2.4	0x3adb	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:14.005907059 CET	1.1.1.1	192.168.2.4	0x6e7a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:14.005907059 CET	1.1.1.1	192.168.2.4	0x6e7a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:14.116031885 CET	1.1.1.1	192.168.2.4	0x6c5b	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:14.116031885 CET	1.1.1.1	192.168.2.4	0x6c5b	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:14.116031885 CET	1.1.1.1	192.168.2.4	0x6c5b	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:14.125478029 CET	1.1.1.1	192.168.2.4	0x1e7e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:14.133271933 CET	1.1.1.1	192.168.2.4	0xe8a4	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 06:59:15.474628925 CET	1.1.1.1	192.168.2.4	0xc8af	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:16.746687889 CET	1.1.1.1	192.168.2.4	0x772	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:16.767610073 CET	1.1.1.1	192.168.2.4	0xd376	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:19.104518890 CET	1.1.1.1	192.168.2.4	0x1ab	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:19.104518890 CET	1.1.1.1	192.168.2.4	0x1ab	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:19.104518890 CET	1.1.1.1	192.168.2.4	0x1ab	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:19.115483999 CET	1.1.1.1	192.168.2.4	0x27a4	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:19.144355059 CET	1.1.1.1	192.168.2.4	0x3512	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:19.159015894 CET	1.1.1.1	192.168.2.4	0x117	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:19.179522038 CET	1.1.1.1	192.168.2.4	0x4aab	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:19.179522038 CET	1.1.1.1	192.168.2.4	0x4aab	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:20.502736092 CET	1.1.1.1	192.168.2.4	0xcd9f	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:20.502736092 CET	1.1.1.1	192.168.2.4	0xcd9f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:20.528543949 CET	1.1.1.1	192.168.2.4	0x715c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:24.559595108 CET	1.1.1.1	192.168.2.4	0xe288	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713419914 CET	1.1.1.1	192.168.2.4	0xfdcd	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713918924 CET	1.1.1.1	192.168.2.4	0x68b2	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:27.713918924 CET	1.1.1.1	192.168.2.4	0x68b2	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.714087963 CET	1.1.1.1	192.168.2.4	0xf1c	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:27.714087963 CET	1.1.1.1	192.168.2.4	0xf1c	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.723202944 CET	1.1.1.1	192.168.2.4	0x168f	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.724186897 CET	1.1.1.1	192.168.2.4	0x5275	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.724354029 CET	1.1.1.1	192.168.2.4	0xa393	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.733963013 CET	1.1.1.1	192.168.2.4	0xcaaf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 06:59:27.733963013 CET	1.1.1.1	192.168.2.4	0xcaaf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 06:59:27.733963013 CET	1.1.1.1	192.168.2.4	0xcaaf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 06:59:27.733963013 CET	1.1.1.1	192.168.2.4	0xcaaf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 06:59:27.734296083 CET	1.1.1.1	192.168.2.4	0xfd8	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 29, 2024 06:59:27.734968901 CET	1.1.1.1	192.168.2.4	0x7e3	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 29, 2024 06:59:27.749041080 CET	1.1.1.1	192.168.2.4	0x3964	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:27.749041080 CET	1.1.1.1	192.168.2.4	0x3964	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.749041080 CET	1.1.1.1	192.168.2.4	0x3964	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.749041080 CET	1.1.1.1	192.168.2.4	0x3964	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.749041080 CET	1.1.1.1	192.168.2.4	0x3964	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.749511957 CET	1.1.1.1	192.168.2.4	0xf941	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.760319948 CET	1.1.1.1	192.168.2.4	0x9b8e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.760319948 CET	1.1.1.1	192.168.2.4	0x9b8e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.760319948 CET	1.1.1.1	192.168.2.4	0x9b8e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.760319948 CET	1.1.1.1	192.168.2.4	0x9b8e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:27.760334015 CET	1.1.1.1	192.168.2.4	0x7a13	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:30.214279890 CET	1.1.1.1	192.168.2.4	0x8e23	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.758737087 CET	1.1.1.1	192.168.2.4	0x7240	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.781692982 CET	1.1.1.1	192.168.2.4	0xa0ad	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.781692982 CET	1.1.1.1	192.168.2.4	0xa0ad	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.781692982 CET	1.1.1.1	192.168.2.4	0xa0ad	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.781692982 CET	1.1.1.1	192.168.2.4	0xa0ad	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.792279005 CET	1.1.1.1	192.168.2.4	0xc90d	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.792279005 CET	1.1.1.1	192.168.2.4	0xc90d	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.792279005 CET	1.1.1.1	192.168.2.4	0xc90d	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.792279005 CET	1.1.1.1	192.168.2.4	0xc90d	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.800519943 CET	1.1.1.1	192.168.2.4	0x2eec	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 06:59:39.800519943 CET	1.1.1.1	192.168.2.4	0x2eec	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 06:59:39.800519943 CET	1.1.1.1	192.168.2.4	0x2eec	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 06:59:39.800519943 CET	1.1.1.1	192.168.2.4	0x2eec	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 06:59:39.809514046 CET	1.1.1.1	192.168.2.4	0x737a	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:39.809514046 CET	1.1.1.1	192.168.2.4	0x737a	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:39.824928045 CET	1.1.1.1	192.168.2.4	0x224b	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 06:59:41.030097961 CET	1.1.1.1	192.168.2.4	0x9e4	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 06:59:41.030097961 CET	1.1.1.1	192.168.2.4	0x9e4	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 07:00:01.853966951 CET	1.1.1.1	192.168.2.4	0xbfb1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 07:00:02.479443073 CET	1.1.1.1	192.168.2.4	0xcc99	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 07:00:02.479443073 CET	1.1.1.1	192.168.2.4	0xcc99	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 07:00:42.497338057 CET	1.1.1.1	192.168.2.4	0x63be	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7824	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 06:59:13.229964018 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:13.833723068 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55167 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	34.107.221.82	80	7824	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 06:59:14.012680054 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:14.607667923 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61529 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	34.107.221.82	80	7824	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 06:59:14.909898043 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:15.505482912 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55169 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:15.903915882 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:16.030961037 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55169 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:16.705677032 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:16.830208063 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55170 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:19.136518002 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:19.262348890 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55173 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:24.336673021 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:24.676299095 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55178 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:25.159508944 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:25.284840107 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55179 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:27.145348072 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:27.270028114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55181 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:27.976639986 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:28.101470947 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55182 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:30.196842909 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:30.321646929 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55184 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:30.836450100 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:30.960973978 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55184 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:40.368743896 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:40.494932890 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55194 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:40.669667959 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:40.794207096 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55194 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:41.017659903 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:41.142085075 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55195 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:41.314359903 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:41.638503075 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55195 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:41.649549007 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 06:59:41.774386883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55195 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 06:59:51.789655924 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:00:01.827429056 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:00:02.470041037 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 07:00:02.595563889 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55216 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 07:00:05.289625883 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 07:00:05.414249897 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55219 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 07:00:09.949367046 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 07:00:11.023011923 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55224 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 07:00:11.023818970 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55224 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 07:00:11.024234056 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55224 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 07:00:21.034028053 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:00:31.876563072 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:00:41.884596109 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:00:43.124530077 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 07:00:43.249166965 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 55257 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 07:00:53.270653963 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:01:03.291105986 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:01:13.306785107 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.4	49755	34.107.221.82	80

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 06:59:15.734286070 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49757	34.107.221.82	80	7824	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 06:59:16.581018925 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:17.177587986 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61532 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:19.135020971 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:19.260624886 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61534 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:24.261760950 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:24.555867910 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61539 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:24.611802101 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61539 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:24.741475105 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:24.878912926 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61539 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:25.800055981 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:25.925036907 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61540 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:27.501091957 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:27.626069069 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61542 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:29.466856956 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:29.591825008 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61544 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:30.324577093 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:30.449888945 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61545 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:30.964257956 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:31.089454889 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61546 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:40.498316050 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:40.623719931 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61555 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:40.796875954 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:40.922087908 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61555 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:41.146680117 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:41.273619890 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61556 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:41.641319990 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:41.766252995 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61556 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:41.777818918 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 06:59:41.902976990 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61556 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 06:59:51.905575037 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:00:01.927731991 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:00:02.598364115 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 07:00:02.723268032 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61577 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 07:00:05.417917013 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 07:00:05.542879105 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61580 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 07:00:11.072144032 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 07:00:11.196901083 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61586 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 07:00:21.200150967 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:00:31.876573086 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:00:41.884596109 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:00:43.252664089 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 07:00:43.378298044 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 61618 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 07:00:53.386472940 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:01:03.406737089 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 07:01:13.422619104 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	01:59:03
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe40000
File size:	919'552 bytes
MD5 hash:	58D65FE21880B28F30ED2E6EC0D16EAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:59:03
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x420000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:59:03
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:59:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x420000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:59:05
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:59:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x420000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:59:05
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:59:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x420000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:59:06
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:59:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x420000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:59:06
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:59:06
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:59:06
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:59:06
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	01:59:07
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24840072-f694-4f48-95a1-da79ede47ec3} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc27c6e310 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	01:59:10
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38509e27-cf62-4645-91ed-874a587441d6} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc39da2e10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	01:59:17
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5196 -prefMapHandle 5344 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b434bde-b94a-4a39-974d-2f8b7ed056e3} 7824 "\\.\pipe\gecko-crash-server-pipe.7824" 1dc4178a710 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1541
Total number of Limit Nodes:	62

Executed Functions

Function 00E442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E4430D

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

GetCurrentProcess.KERNEL32(?,00EDCB64,00000000,?,?), ref: 00E44422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00E44429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E44454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E44466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E44474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00E4447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00E444A0

Strings

kernel32.dll, xrefs: 00E4444F
GetNativeSystemInfo, xrefs: 00E44460
|O, xrefs: 00E836F8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 55941ee0db4d2db7a7b1c936f5701276e1fbcfd795493416a6c3f8266a7ba100
Instruction ID: 7e891b8ae1a9f849d49a28f14ab25ab6c192494d1c276d11c875a358c8364e24
Opcode Fuzzy Hash: 55941ee0db4d2db7a7b1c936f5701276e1fbcfd795493416a6c3f8266a7ba100
Instruction Fuzzy Hash: 08A1E9A190A2CCCFCB11D7B97C443D57FE47B26744F1AE49AD2B5B3A6AD2204508FB21

Function 00E442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E450AA,?,?,00000000,00000000), ref: 00E442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E450AA,?,?,00000000,00000000), ref: 00E442C9
LoadResource.KERNEL32(?,00000000,?,?,00E450AA,?,?,00000000,00000000,?,?,?,?,?,?,00E44F20), ref: 00E835BE
SizeofResource.KERNEL32(?,00000000,?,?,00E450AA,?,?,00000000,00000000,?,?,?,?,?,?,00E44F20), ref: 00E835D3
LockResource.KERNEL32(00E450AA,?,?,00E450AA,?,?,00000000,00000000,?,?,?,?,?,?,00E44F20,?), ref: 00E835E6

Strings

SCRIPT, xrefs: 00E442BF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bf7bf6858f7e86f03d62575d058c309ed6313114d24fcc938d0133725c613de7
Instruction ID: caefd118e8bb3fa077b05847d81d1a1f8703c33c99367eba407977702178dde0
Opcode Fuzzy Hash: bf7bf6858f7e86f03d62575d058c309ed6313114d24fcc938d0133725c613de7
Instruction Fuzzy Hash: BA1170B0201701BFDB219B66EC48F677BB9EBC5B95F20416EB406A62A0DBB1D804C620

Function 00EADBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,"R), ref: 00EADBCE
GetFileAttributesW.KERNELBASE(?), ref: 00EADBDD
FindFirstFileW.KERNEL32(?,?), ref: 00EADBEE
FindClose.KERNEL32(00000000), ref: 00EADBFA

Strings

"R, xrefs: 00EADBCA

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID: "R
API String ID: 2695905019-1746183819
Opcode ID: 23680e49f2c7b13fb65c4a8b442a3f815f9aa95cd02b832c9cda0759f026c88c
Instruction ID: 1ad0a862d29b0573d466b0620cedc4557a32206d62cf6bf6475ea8b42e7b5180
Opcode Fuzzy Hash: 23680e49f2c7b13fb65c4a8b442a3f815f9aa95cd02b832c9cda0759f026c88c
Instruction Fuzzy Hash: 49F0A7304159155B82206B78AC0D4AA777CDF06374B604713F476E24F0EBB46D58C595

Function 00E82BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00E42B6B

Part of subcall function 00E43A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F11418,?,00E42E7F,?,?,?,00000000), ref: 00E43A78

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00F02224), ref: 00E82C10
ShellExecuteW.SHELL32(00000000,?,?,00F02224), ref: 00E82C17

Strings

runas, xrefs: 00E82C0B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 91ccb7d301ecea2c44e6622eebce02e93fdbbd6b1cf3b1bc7a50ffec73823a37
Instruction ID: f46fb37f4ff973cf8c4d50e6498dad5a10b0db843badc3088fa0bd293791ae82
Opcode Fuzzy Hash: 91ccb7d301ecea2c44e6622eebce02e93fdbbd6b1cf3b1bc7a50ffec73823a37
Instruction Fuzzy Hash: 7B11E1316083056AC704FF70F8559AEB7E4EB95744F84342DF286320A3CF618A49E712

Function 00E64CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00E728E9,(,00E64CBE,00000000,00F088B8,0000000C,00E64E15,(,00000002,00000000,?,00E728E9,00000003,00E72DF7,?,?), ref: 00E64D09
TerminateProcess.KERNEL32(00000000,?,00E728E9,00000003,00E72DF7,?,?,?,00E6E6D1,?,00F08A48,00000010,00E44F4A,?,?,00000000), ref: 00E64D10
ExitProcess.KERNEL32 ref: 00E64D22

Strings

(, xrefs: 00E64CEA

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: b5860e9e460eb4ceea710090459c600ffbc555e125f38bdedb824db3c44d2c11
Instruction ID: 4134db315a9462d3e302e5a3d5ab8be46796b55628e27341bbf3d3b8cd90d96b
Opcode Fuzzy Hash: b5860e9e460eb4ceea710090459c600ffbc555e125f38bdedb824db3c44d2c11
Instruction Fuzzy Hash: 91E0B6B1441149AFCF11AF65FD09A583B69EB417C5F209055FC09AB162CB35DD46DA80

Function 00EAD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EAD501
Process32FirstW.KERNEL32(00000000,?), ref: 00EAD50F
Process32NextW.KERNEL32(00000000,?), ref: 00EAD52F
CloseHandle.KERNELBASE(00000000), ref: 00EAD5DC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0fd0f7bc04876bfc20f26b67ee6fea63bafc67718f910b1d4d173cdd78353189
Instruction ID: c6315df6c394dce4720fb49039a8b2a2441ac3719c3031c99d2c177eb480c223
Opcode Fuzzy Hash: 0fd0f7bc04876bfc20f26b67ee6fea63bafc67718f910b1d4d173cdd78353189
Instruction Fuzzy Hash: 2331A4315083019FD304EF54EC81AAFBBF8EFD9354F14052DF582A61A2EB71A948CB92

Function 00ECAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00ECB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ECB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ECB1D4
_wcslen.LIBCMT ref: 00ECB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ECB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ECB236
_wcslen.LIBCMT ref: 00ECB332

Part of subcall function 00EB05A7: GetStdHandle.KERNEL32(000000F6), ref: 00EB05C6

_wcslen.LIBCMT ref: 00ECB34B
_wcslen.LIBCMT ref: 00ECB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ECB3B6
GetLastError.KERNEL32(00000000), ref: 00ECB407
CloseHandle.KERNEL32(?), ref: 00ECB439
CloseHandle.KERNEL32(00000000), ref: 00ECB44A
CloseHandle.KERNEL32(00000000), ref: 00ECB45C
CloseHandle.KERNEL32(00000000), ref: 00ECB46E
CloseHandle.KERNEL32(?), ref: 00ECB4E3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: bfcfaf8398a9a8ce21740abbb6e42f4e13009f06657967e7c67211c5bbbd04d2
Instruction ID: dce77466a729df91e970f1096f030c4562abbc21dc1dc3e8d5a18bc0250a01b3
Opcode Fuzzy Hash: bfcfaf8398a9a8ce21740abbb6e42f4e13009f06657967e7c67211c5bbbd04d2
Instruction Fuzzy Hash: EEF18B315083409FC714EF24D982B6EBBE5AF85314F14995DF899AB2A2DB32EC05CB52

Function 00E4D7CB Relevance: 21.6, APIs: 14, Instructions: 579windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E4D807
timeGetTime.WINMM ref: 00E4DA07
PeekMessageW.USER32(?), ref: 00E4DB28
TranslateMessage.USER32(?), ref: 00E4DB7B
DispatchMessageW.USER32(?), ref: 00E4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4DB9F
Sleep.KERNELBASE(0000000A), ref: 00E4DBB1

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: c53307d6ab8520a7118dce4bf6bff821d5ef650fae529ccb1486236d121df8f8
Instruction ID: 76e950fc517d326a126ad6d4ba2887cbe8280b2359fa1bcecc8b89633475a5ee
Opcode Fuzzy Hash: c53307d6ab8520a7118dce4bf6bff821d5ef650fae529ccb1486236d121df8f8
Instruction Fuzzy Hash: AE32C330608342EFDB28CF24DC84BAAB7E1FF85308F14A55EE655A7291D771E844DB92

Function 00E42CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E42D07
RegisterClassExW.USER32(00000030), ref: 00E42D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E42D42
InitCommonControlsEx.COMCTL32(?), ref: 00E42D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E42D6F
LoadIconW.USER32(000000A9), ref: 00E42D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E42D94

Strings

+, xrefs: 00E42CF0
0, xrefs: 00E42CE9
AutoIt v3 GUI, xrefs: 00E42D23
TaskbarCreated, xrefs: 00E42D37

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e3eca67da570ad60c6a6598418e2ae9f57f3b6c9952d7a7486d496ab682d46b0
Instruction ID: 9e39ca80f39dd0b3fcf4dccf48b19d012682b3a6d84ee8955da06bb7fa249718
Opcode Fuzzy Hash: e3eca67da570ad60c6a6598418e2ae9f57f3b6c9952d7a7486d496ab682d46b0
Instruction Fuzzy Hash: C221B2B590221DAFDB00DFA5E849BDDBBB8FB08741F10811BE621B62A0D7B14544DF91

Function 00E8065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E8039A: CreateFileW.KERNELBASE(00000000,00000000,?,00E80704,?,?,00000000,?,00E80704,00000000,0000000C), ref: 00E803B7

GetLastError.KERNEL32 ref: 00E8076F
__dosmaperr.LIBCMT ref: 00E80776
GetFileType.KERNELBASE(00000000), ref: 00E80782
GetLastError.KERNEL32 ref: 00E8078C
__dosmaperr.LIBCMT ref: 00E80795
CloseHandle.KERNEL32(00000000), ref: 00E807B5
CloseHandle.KERNEL32(?), ref: 00E808FF
GetLastError.KERNEL32 ref: 00E80931
__dosmaperr.LIBCMT ref: 00E80938

Strings

H, xrefs: 00E808BD

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: bb69f6e68918d2510af801f9492ac9b0690b822613d4545590ae60814c7113f8
Instruction ID: ae7644bbac790e77f938957f31d143e5fc07c5f795180ae25235f0550d80ef6d
Opcode Fuzzy Hash: bb69f6e68918d2510af801f9492ac9b0690b822613d4545590ae60814c7113f8
Instruction Fuzzy Hash: ACA12832A001088FDF19FF68D852BAD7BE0EB46324F14515AF819BB2A1DB319857DB91

Function 00E4344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E43A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F11418,?,00E42E7F,?,?,?,00000000), ref: 00E43A78

Part of subcall function 00E43357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E43379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E4356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E8318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E831CE
RegCloseKey.ADVAPI32(?), ref: 00E83210
_wcslen.LIBCMT ref: 00E83277
_wcslen.LIBCMT ref: 00E83286

Strings

\, xrefs: 00E8328C
Software\AutoIt v3\AutoIt, xrefs: 00E43560
Include, xrefs: 00E83184, 00E831C5
\Include\, xrefs: 00E43527

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: c7fb5d4c9e70cf42c26b21ade8f0b3ce79c7d2681ef3ea873ad53c6642a88391
Instruction ID: 57395be05b935978e8c3e4806856c8ef9ad9b418b38b557ed1ab86f643a0d5ec
Opcode Fuzzy Hash: c7fb5d4c9e70cf42c26b21ade8f0b3ce79c7d2681ef3ea873ad53c6642a88391
Instruction Fuzzy Hash: FA71D2714053059EC304EFA9EC8299BBBE8FF84740F41682EF559E31B1EB348A58DB52

Function 00E42B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E42B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00E42B9D
LoadIconW.USER32(00000063), ref: 00E42BB3
LoadIconW.USER32(000000A4), ref: 00E42BC5
LoadIconW.USER32(000000A2), ref: 00E42BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E42BEF
RegisterClassExW.USER32(?), ref: 00E42C40

Part of subcall function 00E42CD4: GetSysColorBrush.USER32(0000000F), ref: 00E42D07
Part of subcall function 00E42CD4: RegisterClassExW.USER32(00000030), ref: 00E42D31
Part of subcall function 00E42CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E42D42
Part of subcall function 00E42CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E42D5F
Part of subcall function 00E42CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E42D6F
Part of subcall function 00E42CD4: LoadIconW.USER32(000000A9), ref: 00E42D85
Part of subcall function 00E42CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E42D94

Strings

#, xrefs: 00E42C16
0, xrefs: 00E42C0F
AutoIt v3, xrefs: 00E42C2F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0b06074dbe8a0b1bb6dff4812a178da5b4f906c99f0348c7573943ad9342f674
Instruction ID: a8e15f0da920cc09ad9ab405f9d24cefa9c2440b6be9bc3cc87eaad3762d1764
Opcode Fuzzy Hash: 0b06074dbe8a0b1bb6dff4812a178da5b4f906c99f0348c7573943ad9342f674
Instruction Fuzzy Hash: AD212C70E02318AFDB109FA6EC55ADABFB4FB48B50F11801BF610B66A4D7B11554EF90

Function 00E43170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E4316A,?,?), ref: 00E431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00E4316A,?,?), ref: 00E43204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E43227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E4316A,?,?), ref: 00E43232
CreatePopupMenu.USER32 ref: 00E43246
PostQuitMessage.USER32(00000000), ref: 00E43267

Strings

TaskbarCreated, xrefs: 00E4322D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f7c228720415c08cf19b2f9c5632b89c4a202a4f937433db8c9d84fd3e5b4f78
Instruction ID: 2a377c38c5a62043a303c5bc28dd601c09dcf0c99326e1c8e4def471f4382e36
Opcode Fuzzy Hash: f7c228720415c08cf19b2f9c5632b89c4a202a4f937433db8c9d84fd3e5b4f78
Instruction Fuzzy Hash: D6417B30200208ABDF142B78BC1DBF93B59F705348F14711AFA1AB62E2C7B1AB40E765

Function 00E41410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E41459
CoUninitialize.COMBASE ref: 00E414F8
UnregisterHotKey.USER32(?), ref: 00E416DD
DestroyWindow.USER32(?), ref: 00E824B9
FreeLibrary.KERNEL32(?), ref: 00E8251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E8254B

Strings

close all, xrefs: 00E41454

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 078e4404ca97fca06f9d4457a138503b6283d02158b6097eb36d3141f1a1d4e5
Instruction ID: 247d0ed9c3b6ab31c48383703fe400d250eeeb04436db2860942dca53c3ab03f
Opcode Fuzzy Hash: 078e4404ca97fca06f9d4457a138503b6283d02158b6097eb36d3141f1a1d4e5
Instruction Fuzzy Hash: 66D18A307012128FCB19EF15E499A69F7A0BF05304F2462AEE94E7B262DB30EC52CF51

Function 00E42C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E42C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E42CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E41CAD,?), ref: 00E42CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E41CAD,?), ref: 00E42CCF

Strings

edit, xrefs: 00E42CAC
AutoIt v3, xrefs: 00E42C89, 00E42C8E, 00E42C8F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: edabfae8857b9f2b0d488673203de7f344c6027160587d23f67ca3b683416563
Instruction ID: bc9f3359cccb8720cea0bde07ff5bc6fc13a9419a90f451349e5538d3cdab25a
Opcode Fuzzy Hash: edabfae8857b9f2b0d488673203de7f344c6027160587d23f67ca3b683416563
Instruction Fuzzy Hash: FBF030755402947AEB3007236C08EB77E7DE7C6F50F11411AFA10A2164C2620841EE70

Function 00E43B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E43B0F,SwapMouseButtons,00000004,?), ref: 00E43B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E43B0F,SwapMouseButtons,00000004,?), ref: 00E43B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E43B0F,SwapMouseButtons,00000004,?), ref: 00E43B83

Strings

Control Panel\Mouse, xrefs: 00E43B3E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 482f5a63ae74c4e05fc42eeb24220e8eb646d3054667ce40dfdb7971b4ba7af5
Instruction ID: 5517fabbf46f0f47191e03271727cad77295ae5b31aeaf5da3a64507aa719665
Opcode Fuzzy Hash: 482f5a63ae74c4e05fc42eeb24220e8eb646d3054667ce40dfdb7971b4ba7af5
Instruction Fuzzy Hash: DD112AB5511208FFDB218FA5EC44AEEB7B9EF04784B10955AA805E7110D2319E449760

Function 00E91C90 Relevance: 6.0, APIs: 4, Instructions: 50windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E4DB7B
DispatchMessageW.USER32(?), ref: 00E4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4DB9F
Sleep.KERNELBASE(0000000A), ref: 00E4DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00E91CC9

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 8a911fc0d3e61309f5eb53332e4e2913e90dbdadb7b827d3cd66c69e4917c062
Instruction ID: a74cc014d6c2a22aecac5791dfb7e83dd9590c4e05a70ac71644eb66446a58ca
Opcode Fuzzy Hash: 8a911fc0d3e61309f5eb53332e4e2913e90dbdadb7b827d3cd66c69e4917c062
Instruction Fuzzy Hash: 3411CE307093469FEB38CB31EC98FA677A8EF45354F24555AE609A7091DB30E848DB15

Function 00E43923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E833A2

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E43A04

Strings

Line: , xrefs: 00E833EB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: a96ac457dfc14454d95d99943f3e3c8f054f91143dc13c2dbac5be00cae7abc7
Instruction ID: 43b4c6c5b228ffa32a6016c4ecd1b9286e2b3a41a406593a17c48e6c3f224d0b
Opcode Fuzzy Hash: a96ac457dfc14454d95d99943f3e3c8f054f91143dc13c2dbac5be00cae7abc7
Instruction Fuzzy Hash: CB31C371448304AAD725EB30EC45BEBB7E8AF85714F10692AF6A9A21D1DB709648C7C3

Function 00E5FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00E60668

Part of subcall function 00E632A4: RaiseException.KERNEL32(?,?,?,00E6068A,?,00F11444,?,?,?,?,?,?,00E6068A,00E41129,00F08738,00E41129), ref: 00E63304

__CxxThrowException@8.LIBVCRUNTIME ref: 00E60685

Strings

Unknown exception, xrefs: 00E60692

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b9283e463f9a110c35e81b05c4a870df31c7c8e50566476e39cdd2aa4dc65054
Instruction ID: 9585e581713404c449f4be6c813168585c34981d32777ec502192bf1911aa1d0
Opcode Fuzzy Hash: b9283e463f9a110c35e81b05c4a870df31c7c8e50566476e39cdd2aa4dc65054
Instruction Fuzzy Hash: 6BF0C23498020D77CB00BAB4FC56D9E77BC5E403D4B606531F914B69E2EF71DA6AC681

Function 00E410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E41BF4
Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E41BFC
Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E41C07
Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E41C12
Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E41C1A
Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E41C22

Part of subcall function 00E41B4A: RegisterWindowMessageW.USER32(00000004,?,00E412C4), ref: 00E41BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E4136A
OleInitialize.OLE32 ref: 00E41388
CloseHandle.KERNEL32(00000000,00000000), ref: 00E824AB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 51fdbf469deb4705ee23785a84b54887528a7636cd9c92a4c6d61db35956947d
Instruction ID: e58b9c5764e5d69171d959777851b6670a220d84d5ebc0884d94e53f86604e78
Opcode Fuzzy Hash: 51fdbf469deb4705ee23785a84b54887528a7636cd9c92a4c6d61db35956947d
Instruction Fuzzy Hash: A471BBB49122098EC784DF7ABD556D53AE2FBC939431AD22ED30AE7362EB304445EF44

Function 00EAC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E43923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E43A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EAC259
KillTimer.USER32(?,00000001,?,?), ref: 00EAC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EAC270

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: cbd2ff1097e30652fa87f7aa99cd8e4ab7a7d8e1f38dc78b8bf987a221fe8734
Instruction ID: b565689ebf197cf5257d92185ecabf813d0052e54c4c772ddfbd0071801f4037
Opcode Fuzzy Hash: cbd2ff1097e30652fa87f7aa99cd8e4ab7a7d8e1f38dc78b8bf987a221fe8734
Instruction Fuzzy Hash: 2831C8709047446FEB328F7498557E7BBEC9B1B308F10149ED2DAB7251D3746A84CB51

Function 00E786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00E785CC,?,00F08CC8,0000000C), ref: 00E78704
GetLastError.KERNEL32(?,00E785CC,?,00F08CC8,0000000C), ref: 00E7870E
__dosmaperr.LIBCMT ref: 00E78739

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: c5426aafde7d1d654531b9aab214a32cd39bbbf51854d5e806b63d8a3c519b17
Instruction ID: fe38efb050363c26f1b2fad7727bbeae81b59a9e53679cfb4daf2084a1714933
Opcode Fuzzy Hash: c5426aafde7d1d654531b9aab214a32cd39bbbf51854d5e806b63d8a3c519b17
Instruction Fuzzy Hash: 31016F33A4512036D62462746A4E77E27868BA177CF35E11AF80CFB0E2DEE08C818650

Function 00E4DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E4DB7B
DispatchMessageW.USER32(?), ref: 00E4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4DB9F
Sleep.KERNELBASE(0000000A), ref: 00E4DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00E91CC9

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 781447b9b8672ff799139672fc3787231982218bd4c0d38cfd7c09c9f81eae0e
Instruction ID: 1cb1354de8ce03664900e8ff5a34b0bd74cdd4c7ac35afbd30605cde66bae923
Opcode Fuzzy Hash: 781447b9b8672ff799139672fc3787231982218bd4c0d38cfd7c09c9f81eae0e
Instruction Fuzzy Hash: D5F05E306093459BEB34CB71AC49FEA73A8EB44354F105A1AE61AA30C0DB30A488DB15

Function 00E51310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E517F6

Strings

CALL, xrefs: 00E517C6

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1e70187aee52cc6cf858c80b2fdbe5d75480eb6e5b5c1dd2703f00df47000431
Instruction ID: d893a3b025ce0fca4bc95f69c8c699fda6fef6558946729a3cc167d1fae87b6f
Opcode Fuzzy Hash: 1e70187aee52cc6cf858c80b2fdbe5d75480eb6e5b5c1dd2703f00df47000431
Instruction Fuzzy Hash: C922AD706083019FC714DF14C481B6ABBF1BF89315F14A99EF896AB362D771E949CB42

Function 00E42DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00E82C8C

Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E43A97,?,?,00E42E7F,?,?,?,00000000), ref: 00E43AC2

Part of subcall function 00E42DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E42DC4

Strings

X, xrefs: 00E82C5A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 5bd599c2ef7b0e7f46c24ab7bdd5236930f9410afb4e9d29cfc7ff0546909ece
Instruction ID: 479c6942daa0bfd4bce743bbbd05c64fa646392d567b3b362ad9662845bf41e6
Opcode Fuzzy Hash: 5bd599c2ef7b0e7f46c24ab7bdd5236930f9410afb4e9d29cfc7ff0546909ece
Instruction Fuzzy Hash: 4921C370A002589FCB01EF94D805BEE7BFCAF48304F009059E609F7281DBB45A49DF61

Function 00E43837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E43908

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 5e459d0d0f37339c4f2d273174cde342222baad201c1b8ac0134cfba8646a7ff
Instruction ID: 97716a7d7ecfe5a41ad2f6397fcda4e834f256add515142c2c3789f4a56eba31
Opcode Fuzzy Hash: 5e459d0d0f37339c4f2d273174cde342222baad201c1b8ac0134cfba8646a7ff
Instruction Fuzzy Hash: 8831A0B05043058FD720DF34E8857D7BBE4FB49708F00092EF6A9A3280E771AA44DB52

Function 00E5F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E5F661
Sleep.KERNEL32(00000000), ref: 00E9F2DE

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 2ebc87946d56c8d6cee828d83202251049b40ee008cdc3cf8dee9e41702418f0
Instruction ID: f0faeba70962be637255110641c31ebaa8c76b4cfa6ad4752cf50143707e94b8
Opcode Fuzzy Hash: 2ebc87946d56c8d6cee828d83202251049b40ee008cdc3cf8dee9e41702418f0
Instruction Fuzzy Hash: 2DF08C31240205AFD310EF79E949BAAB7E9EF85761F00012AE85DE72A0DB70A804CB91

Function 00E44ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E44E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E44EDD,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E9C
Part of subcall function 00E44E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E44EAE
Part of subcall function 00E44E90: FreeLibrary.KERNEL32(00000000,?,?,00E44EDD,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44EFD

Part of subcall function 00E44E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E83CDE,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E62
Part of subcall function 00E44E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E44E74
Part of subcall function 00E44E59: FreeLibrary.KERNEL32(00000000,?,?,00E83CDE,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E87

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 442ea5f61fdbaba31b078ba22307fa562a33ca5ef54573cbd2eadd6ad604f9eb
Instruction ID: 4f4df9f8cf0b26c3a6d5e97de7540f9d8fc96c9bf4e56092e095eb4d8d772e3b
Opcode Fuzzy Hash: 442ea5f61fdbaba31b078ba22307fa562a33ca5ef54573cbd2eadd6ad604f9eb
Instruction Fuzzy Hash: C811E372700305ABCB14BF70EC02FAD77E5AF40B10F20A42EF546BA1D1EE709A499760

Function 00E78402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00E78440

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 785d40759ffc415f27517d2d27ed70a453b7496a4c38f8259153bead06069ea0
Instruction ID: fcb06b9c71d9d634afeaba011a716eba10c105f2fa87694d93f40e85cb711ea8
Opcode Fuzzy Hash: 785d40759ffc415f27517d2d27ed70a453b7496a4c38f8259153bead06069ea0
Instruction Fuzzy Hash: 6F11487190410AAFCB05DF58E9449DE7BF4EF48314F108059F818AB312EA70DA11CBA4

Function 00E6E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: b8eb17cdf11a3998efc85cafae312c082b743952add054f68e96690837f246e0
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C4F02D36550A1496D7313A75FD05B9E33D89F623B4F105715F525B33D2CB70D80186A6

Function 00E73820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a20f1b2574c87ba4c12b7482f5c2291f7297ea8a2e0b797283ebaddd8ba1f43e
Instruction ID: 3547a153486c303656d93628c8176f9e39d9081420111704cf2ff213a7d929b7
Opcode Fuzzy Hash: a20f1b2574c87ba4c12b7482f5c2291f7297ea8a2e0b797283ebaddd8ba1f43e
Instruction Fuzzy Hash: 84E0E53114122596F7652A77AC00FDA77C8AB427F4F15A222FC1CB65D1CB31DD01B1E2

Function 00E44F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44F6D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3be04341adf3a91d5908e7c70b5dccd9b838bf974b5b6f6b5d9c7d2f8b10e4fa
Instruction ID: 3994a81bfbef88181a77ed0fd30d60e33ae119a3d2ef9d24ff20c51410ebbd5d
Opcode Fuzzy Hash: 3be04341adf3a91d5908e7c70b5dccd9b838bf974b5b6f6b5d9c7d2f8b10e4fa
Instruction Fuzzy Hash: 1DF01CB1305752CFDB349F65E490956BBE4BF14319320A96EE1EAA2661C7319848DB10

Function 00ED2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00ED2A66

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 191acbc46c6a0fdcb81326b128f106aed68760c44e8a6b40ac09429ca2e368c6
Instruction ID: e6074a4a3887614c7753e4b04bb596f03e024152685cabbff96e80dc6cb55ae5
Opcode Fuzzy Hash: 191acbc46c6a0fdcb81326b128f106aed68760c44e8a6b40ac09429ca2e368c6
Instruction Fuzzy Hash: 08E048753511166EC714EA30DC804FA779CDBA5395710653BBD16E6240EB30D95686A0

Function 00E430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E4314E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ede20d7b232b2d836c80d5efc572748c668ac1c0f6c12c73c5c0d2d5eb72899f
Instruction ID: a444c53e8b0775b1975e9b336aa03f3925cda7a1081d6ea88f06efb32f84cca2
Opcode Fuzzy Hash: ede20d7b232b2d836c80d5efc572748c668ac1c0f6c12c73c5c0d2d5eb72899f
Instruction Fuzzy Hash: 84F0A7709003189FE7529B24EC457D57BFCB70170CF0001E9A258A6285D7704788CF41

Function 00E42DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E42DC4

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: dc92a20e526c2ffd96f79b954a9db1c8ea828be7a2f0a84051adcd204d507ef4
Instruction ID: 0f6aab4bb52d6e418fb3a2038ac1802b8bad07b481293cb54be9f4b3cdabcc46
Opcode Fuzzy Hash: dc92a20e526c2ffd96f79b954a9db1c8ea828be7a2f0a84051adcd204d507ef4
Instruction Fuzzy Hash: 41E0CD726001245BCB10A2989C05FDA77DDDFC87D4F0400B1FD0DF7258D960AD84C651

Function 00E42B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E43837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E43908

SetCurrentDirectoryW.KERNEL32(?), ref: 00E42B6B

Part of subcall function 00E430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E4314E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectory
String ID:
API String ID: 2619246295-0
Opcode ID: fa13e4e472819d2d117e340dadee8405431e3b3bae061751f4f34acc4fcf018e
Instruction ID: 94d0a414e82a376f021ee5de6dbc68a3af64f4afdb28bd39b9eb9f9d4b724872
Opcode Fuzzy Hash: fa13e4e472819d2d117e340dadee8405431e3b3bae061751f4f34acc4fcf018e
Instruction Fuzzy Hash: BEE0862170424407CA08FB75B8565AEF7D9DBD6755F40353EF242B31A3CE6545898251

Function 00E8039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00E80704,?,?,00000000,?,00E80704,00000000,0000000C), ref: 00E803B7

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 57fe7a093191346b065deb32a9d46b88e368fb7e519e9ccde43dc136fc9be68c
Instruction ID: 0cd696c910461c659d4f3299ca304a64bde9ea4b0f3ab533817766873ecb6ea3
Opcode Fuzzy Hash: 57fe7a093191346b065deb32a9d46b88e368fb7e519e9ccde43dc136fc9be68c
Instruction Fuzzy Hash: A6D06C3204010DBFDF028F85ED06EDA3BAAFB48754F114000BE5866020C732E821EB90

Function 00E41CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E41CBC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 14126ab6f435094387aa61801611db27ac7f5b5f48c5f88553938393c23241a8
Instruction ID: df4ac21abf85d989e4da064012c141ae06923602e4601da8776efb3f329f56b7
Opcode Fuzzy Hash: 14126ab6f435094387aa61801611db27ac7f5b5f48c5f88553938393c23241a8
Instruction Fuzzy Hash: 8FC09236280309AFF6548BC0BC9AF907B65F34CB00F19C102F709A95E3C3A22820FA50

Non-executed Functions

Function 00ED9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00ED961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ED965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00ED969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ED96C9
SendMessageW.USER32 ref: 00ED96F2
GetKeyState.USER32(00000011), ref: 00ED978B
GetKeyState.USER32(00000009), ref: 00ED9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ED97AE
GetKeyState.USER32(00000010), ref: 00ED97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ED97E9
SendMessageW.USER32 ref: 00ED9810
SendMessageW.USER32(?,00001030,?,00ED7E95), ref: 00ED9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00ED992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00ED9941
SetCapture.USER32(?), ref: 00ED994A
ClientToScreen.USER32(?,?), ref: 00ED99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00ED99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00ED99D6
ReleaseCapture.USER32 ref: 00ED99E1
GetCursorPos.USER32(?), ref: 00ED9A19
ScreenToClient.USER32(?,?), ref: 00ED9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00ED9A80
SendMessageW.USER32 ref: 00ED9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00ED9AEB
SendMessageW.USER32 ref: 00ED9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00ED9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00ED9B4A
GetCursorPos.USER32(?), ref: 00ED9B68
ScreenToClient.USER32(?,?), ref: 00ED9B75
GetParent.USER32(?), ref: 00ED9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00ED9BFA
SendMessageW.USER32 ref: 00ED9C2B
ClientToScreen.USER32(?,?), ref: 00ED9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00ED9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00ED9CDE
SendMessageW.USER32 ref: 00ED9D01
ClientToScreen.USER32(?,?), ref: 00ED9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00ED9D82

Part of subcall function 00E59944: GetWindowLongW.USER32(?,000000EB), ref: 00E59952

GetWindowLongW.USER32(?,000000F0), ref: 00ED9E05

Strings

@GUI_DRAGID, xrefs: 00ED997D
F, xrefs: 00ED9D07

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 207390fbc2afa9d37b4d86a273268d274532e745d3c894ec26b229bd99d8083e
Instruction ID: 83f987b614e6fe54f260cbb7dc2243208a20a142dd237f77decb72b277ddbf0a
Opcode Fuzzy Hash: 207390fbc2afa9d37b4d86a273268d274532e745d3c894ec26b229bd99d8083e
Instruction Fuzzy Hash: 0A42BE30204201AFDB24CF24DC44AAABBE5FF48754F14561EF6A9A73E2D731E856DB42

Function 00ED4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00ED48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00ED4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00ED4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00ED494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00ED495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00ED497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00ED49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00ED49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00ED4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00ED4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00ED4A7E
IsMenu.USER32(?), ref: 00ED4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ED4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ED4B20
GetWindowLongW.USER32(?,000000F0), ref: 00ED4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00ED4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00ED4C82
wsprintfW.USER32 ref: 00ED4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ED4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00ED4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00ED4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ED4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00ED4D5A

Strings

%d/%02d/%02d, xrefs: 00ED4CA8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 735a8d09e49114ceabece3c78027411ada75d49b25b0f5962118dc5a0104ea0a
Instruction ID: af28778781d3a616326c1c04e9c506d6ba6460255e01d6a67b849e187d9d32d6
Opcode Fuzzy Hash: 735a8d09e49114ceabece3c78027411ada75d49b25b0f5962118dc5a0104ea0a
Instruction Fuzzy Hash: 331210B1600205AFEB248F25DC49FAE7BF8EF55714F10612AF915FA2E0DB749A42CB50

Function 00E5F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E5F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E9F474
IsIconic.USER32(00000000), ref: 00E9F47D
ShowWindow.USER32(00000000,00000009), ref: 00E9F48A
SetForegroundWindow.USER32(00000000), ref: 00E9F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E9F4AA
GetCurrentThreadId.KERNEL32 ref: 00E9F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E9F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E9F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E9F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00E9F4DE
SetForegroundWindow.USER32(00000000), ref: 00E9F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F4F6
keybd_event.USER32(00000012,00000000), ref: 00E9F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F50B
keybd_event.USER32(00000012,00000000), ref: 00E9F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F519
keybd_event.USER32(00000012,00000000), ref: 00E9F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F528
keybd_event.USER32(00000012,00000000), ref: 00E9F52D
SetForegroundWindow.USER32(00000000), ref: 00E9F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00E9F557

Strings

Shell_TrayWnd, xrefs: 00E9F46F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 0a2872db900ce5d1f47576c6baab7ec1de3f53db25a3d59b38b6fcf1a03f6bf9
Instruction ID: 8803d0eaa2751f640cfc20a4312532d0f4300deff49733441a20a74cb8e1cef3
Opcode Fuzzy Hash: 0a2872db900ce5d1f47576c6baab7ec1de3f53db25a3d59b38b6fcf1a03f6bf9
Instruction Fuzzy Hash: 17315271A412197EEF206BB66C49FBF7F6CEB44B50F210066F601F61D1C6B09D00EA61

Function 00EA1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00EA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EA170D
Part of subcall function 00EA16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EA173A
Part of subcall function 00EA16C3: GetLastError.KERNEL32 ref: 00EA174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00EA1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00EA12A8
CloseHandle.KERNEL32(?), ref: 00EA12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EA12D1
GetProcessWindowStation.USER32 ref: 00EA12EA
SetProcessWindowStation.USER32(00000000), ref: 00EA12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EA1310

Part of subcall function 00EA10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EA11FC), ref: 00EA10D4
Part of subcall function 00EA10BF: CloseHandle.KERNEL32(?,?,00EA11FC), ref: 00EA10E9

Strings

, xrefs: 00EA125A
default, xrefs: 00EA130B
winsta0, xrefs: 00EA12CC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 85704fed061c8900bb8e35a094b673afa9d597009aa088121c7a74b822e07ea2
Instruction ID: 1ffcd77d93266806ec079102a4c1175759c1d8184a5dba7ae7ec07df65e83dc8
Opcode Fuzzy Hash: 85704fed061c8900bb8e35a094b673afa9d597009aa088121c7a74b822e07ea2
Instruction Fuzzy Hash: 72819E71900209AFDF119FA9DC49FEE7BB9EF0D744F1451AAF920BA1A0C774A944CB21

Function 00EA0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EA1114
Part of subcall function 00EA10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1120
Part of subcall function 00EA10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA112F
Part of subcall function 00EA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1136
Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EA114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EA0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EA0C00
GetLengthSid.ADVAPI32(?), ref: 00EA0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00EA0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EA0C6D
GetLengthSid.ADVAPI32(?), ref: 00EA0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EA0C8C
HeapAlloc.KERNEL32(00000000), ref: 00EA0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EA0CB4
CopySid.ADVAPI32(00000000), ref: 00EA0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EA0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EA0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EA0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0D45
HeapFree.KERNEL32(00000000), ref: 00EA0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0D55
HeapFree.KERNEL32(00000000), ref: 00EA0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0D65
HeapFree.KERNEL32(00000000), ref: 00EA0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EA0D78
HeapFree.KERNEL32(00000000), ref: 00EA0D7F

Part of subcall function 00EA1193: GetProcessHeap.KERNEL32(00000008,00EA0BB1,?,00000000,?,00EA0BB1,?), ref: 00EA11A1
Part of subcall function 00EA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EA0BB1,?), ref: 00EA11A8
Part of subcall function 00EA1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EA0BB1,?), ref: 00EA11B7

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c98619d79d091faf9cbd5fdfdc4bb88a39fed2139c1c67d2345f19e7bdbf72ed
Instruction ID: 25e20835a46eee071662b84aedb00990ef1781747f0852107cf4265c5fec66fa
Opcode Fuzzy Hash: c98619d79d091faf9cbd5fdfdc4bb88a39fed2139c1c67d2345f19e7bdbf72ed
Instruction Fuzzy Hash: 22719C7290121AAFDF10DFA5EC44BAEBBB8FF09354F144115E914BB190D771A909CBA0

Function 00EBEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00EDCC08), ref: 00EBEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EBEB37
GetClipboardData.USER32(0000000D), ref: 00EBEB43
CloseClipboard.USER32 ref: 00EBEB4F
GlobalLock.KERNEL32(00000000), ref: 00EBEB87
CloseClipboard.USER32 ref: 00EBEB91
GlobalUnlock.KERNEL32(00000000), ref: 00EBEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00EBEBC9
GetClipboardData.USER32(00000001), ref: 00EBEBD1
GlobalLock.KERNEL32(00000000), ref: 00EBEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00EBEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00EBEC38
GetClipboardData.USER32(0000000F), ref: 00EBEC44
GlobalLock.KERNEL32(00000000), ref: 00EBEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EBEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EBEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EBECD2
GlobalUnlock.KERNEL32(00000000), ref: 00EBECF3
CountClipboardFormats.USER32 ref: 00EBED14
CloseClipboard.USER32 ref: 00EBED59

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0c43b91d3ca4a845b6720699581d11eeb391d04392496613a8ef1d79bb202de7
Instruction ID: 930d26ced6e287c3c7b785a65c0e80cb59d0be1a2a3ce3195e79de56f8d9d516
Opcode Fuzzy Hash: 0c43b91d3ca4a845b6720699581d11eeb391d04392496613a8ef1d79bb202de7
Instruction Fuzzy Hash: D461A0352042029FD310EF25E885FABB7E8EF84758F14651AF456B72A2CB71DD09CB62

Function 00EB698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EB69BE
FindClose.KERNEL32(00000000), ref: 00EB6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EB6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EB6A75

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00EB6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EB6ADF

Strings

%03d, xrefs: 00EB6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00EB6B32
%4d%02d%02d%02d%02d%02d, xrefs: 00EB6B6A
%4d, xrefs: 00EB6BB1
%02d, xrefs: 00EB6C00, 00EB6C0A, 00EB6C5A, 00EB6CAA, 00EB6CFA, 00EB6D4A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cb82f0b20df9ab2a6d69cac5f7e861d4ab3a9a3de641bb088c79f84dff4de4b6
Instruction ID: 7207e7a5f80b42f7a5d6624915460cff32c8031bddc64e36fb570d1e61b40e8b
Opcode Fuzzy Hash: cb82f0b20df9ab2a6d69cac5f7e861d4ab3a9a3de641bb088c79f84dff4de4b6
Instruction Fuzzy Hash: 77D14271508300AFC714EBA4D891EAFB7ECAF88704F44591DF585E7192EB78DA48CB62

Function 00EB9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EB9663
GetFileAttributesW.KERNEL32(?), ref: 00EB96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00EB96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00EB96D3
FindClose.KERNEL32(00000000), ref: 00EB96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00EB96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB974A
SetCurrentDirectoryW.KERNEL32(00F06B7C), ref: 00EB9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EB9772
FindClose.KERNEL32(00000000), ref: 00EB977F
FindClose.KERNEL32(00000000), ref: 00EB978F

Strings

*.*, xrefs: 00EB96F5

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: c5368aac009b2882671d91a76362d834c48f6f1c1e0d66220677198b6e9d288d
Instruction ID: 477f0aeabb417e520eca6b65039dc6e0fe1a440efb38c0746422e3dfc3f58c3c
Opcode Fuzzy Hash: c5368aac009b2882671d91a76362d834c48f6f1c1e0d66220677198b6e9d288d
Instruction Fuzzy Hash: 3F31D07264161A6ECB20AFB5EC48ADF77ECDF49364F205157FA04F21A1EB34D944CA50

Function 00EB979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EB97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00EB9819
FindClose.KERNEL32(00000000), ref: 00EB9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00EB9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB9890
SetCurrentDirectoryW.KERNEL32(00F06B7C), ref: 00EB98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EB98B8
FindClose.KERNEL32(00000000), ref: 00EB98C5
FindClose.KERNEL32(00000000), ref: 00EB98D5

Part of subcall function 00EADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EADB00

Strings

*.*, xrefs: 00EB983B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c2363b867b95f64ad2523ae09c5c1e8bf9863d396c5430e6cc840b6667743050
Instruction ID: ed3aba3130f830c6eb02f0d6be297807dbd4a13ef59cc3e153c186fa3e1e084a
Opcode Fuzzy Hash: c2363b867b95f64ad2523ae09c5c1e8bf9863d396c5430e6cc840b6667743050
Instruction Fuzzy Hash: 7A31F27254161A6EDB24AFB4EC48ADF77BCDF0A364F205166EA00F20A1DB30D948DB60

Function 00ECBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ECB6AE,?,?), ref: 00ECC9B5
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECC9F1
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA68
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00ECBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00ECBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00ECC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00ECC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00ECC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00ECC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00ECC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00ECC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00ECC382
RegCloseKey.ADVAPI32(00000000), ref: 00ECC38F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 05d39825c0b36bee2371c1119b9d1d6bac1786ffbf81b49ab275615552555d13
Instruction ID: 09805840f822113d2a30beb89c459f27f4a16e64c7a24afb857285d864f6af19
Opcode Fuzzy Hash: 05d39825c0b36bee2371c1119b9d1d6bac1786ffbf81b49ab275615552555d13
Instruction Fuzzy Hash: 5B024E716042409FC714CF28D995F2ABBE5EF89318F18949DF849EB2A2D732EC46CB51

Function 00EB8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EB8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00EB8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EB8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EB8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EB838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB8395

Strings

*.*, xrefs: 00EB839B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c753f7f1a1c615a18d02a1b5ada9234e975bb21eeedf9f1e7406e780320d50e2
Instruction ID: f7ed375c8c6cad6828da5ca2b102b2d51f1c4282a4b2064a14955e08dc69fd39
Opcode Fuzzy Hash: c753f7f1a1c615a18d02a1b5ada9234e975bb21eeedf9f1e7406e780320d50e2
Instruction Fuzzy Hash: EB616A725043059FC710EF64D84099FB3EDFF89314F04591AF989A7251EB35E909CB92

Function 00EAD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E43A97,?,?,00E42E7F,?,?,?,00000000), ref: 00E43AC2

Part of subcall function 00EAE199: GetFileAttributesW.KERNEL32(?,00EACF95), ref: 00EAE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EAD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00EAD1DD
MoveFileW.KERNEL32(?,?), ref: 00EAD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EAD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EAD237

Part of subcall function 00EAD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00EAD21C,?,?), ref: 00EAD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00EAD253
FindClose.KERNEL32(00000000), ref: 00EAD264

Strings

\*.*, xrefs: 00EAD0CD, 00EAD0D6, 00EAD0EB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: ba7fc205b6547c51bcca324981bf54fa493701e81ee7fb1aaf12a549e0988d97
Instruction ID: 3cd9308bcbdbfe248c167277da91c0cb89bb5cad4f5cc9fd2ce2f6ef014fa0b8
Opcode Fuzzy Hash: ba7fc205b6547c51bcca324981bf54fa493701e81ee7fb1aaf12a549e0988d97
Instruction Fuzzy Hash: CB615D31C0610D9ECF05EBE0ED92AEDB7B5AF5A304F245165E4027B1A2EB346F09DB60

Function 00EBED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EBED91
EmptyClipboard.USER32 ref: 00EBED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00EBEDAC
CloseClipboard.USER32 ref: 00EBEEA3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9da623f1393b692299d7c3dbe53b0839800dcf5bfdb2a2f781dc11aca17ffbd1
Instruction ID: ded7399f6d92ae488658a5e73f8b543b15343829dab0b48a17c384bb6301141e
Opcode Fuzzy Hash: 9da623f1393b692299d7c3dbe53b0839800dcf5bfdb2a2f781dc11aca17ffbd1
Instruction Fuzzy Hash: 4D41EF30205612AFD310CF26E888B9ABBE5FF44358F24E099E425AB762C775EC41CBC0

Function 00EAE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EA170D
Part of subcall function 00EA16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EA173A
Part of subcall function 00EA16C3: GetLastError.KERNEL32 ref: 00EA174A

ExitWindowsEx.USER32(?,00000000), ref: 00EAE932

Strings

SeShutdownPrivilege, xrefs: 00EAE902
, xrefs: 00EAE920
@, xrefs: 00EAE925
, xrefs: 00EAE95C

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 4975ece6f32a3a6b1fd7ed23b818f19019c737d1c82475be0533af2deec58a2f
Instruction ID: e61f3434aae2fd4143754d1ed7b0e95a82bbdbdb8e4d2e9138c538f8ecc64f9c
Opcode Fuzzy Hash: 4975ece6f32a3a6b1fd7ed23b818f19019c737d1c82475be0533af2deec58a2f
Instruction Fuzzy Hash: 0C012632610311AFEB1422B9AC86BFB729C9B4E784F2464A2FC02FA2D1D5A07C4481A0

Function 00EC1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00EC1276
WSAGetLastError.WSOCK32 ref: 00EC1283
bind.WSOCK32(00000000,?,00000010), ref: 00EC12BA
WSAGetLastError.WSOCK32 ref: 00EC12C5
closesocket.WSOCK32(00000000), ref: 00EC12F4
listen.WSOCK32(00000000,00000005), ref: 00EC1303
WSAGetLastError.WSOCK32 ref: 00EC130D
closesocket.WSOCK32(00000000), ref: 00EC133C

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9d5f819410692149e0ad9b1c110e98181f675e73a8dff4899b2d38919c886681
Instruction ID: dd0dee481eea1b26f553316639560b5a868a9ee7da30f535b43d184769e20fce
Opcode Fuzzy Hash: 9d5f819410692149e0ad9b1c110e98181f675e73a8dff4899b2d38919c886681
Instruction Fuzzy Hash: A041A0356001419FD714DF24D584F29BBE5EF46318F28918DD856AF2A3C732EC86DBA1

Function 00EAD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E43A97,?,?,00E42E7F,?,?,?,00000000), ref: 00E43AC2

Part of subcall function 00EAE199: GetFileAttributesW.KERNEL32(?,00EACF95), ref: 00EAE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EAD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EAD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EAD481
FindClose.KERNEL32(00000000), ref: 00EAD498
FindClose.KERNEL32(00000000), ref: 00EAD4A1

Strings

\*.*, xrefs: 00EAD3F2

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: eda246a229c0365aa2ed2d573acdb73c9e790d6ae7833c3e1b999b590a68e9ff
Instruction ID: b05f46a3ac9404aaf104b11cddc43c038a40aebe69984c735607053de94f0c40
Opcode Fuzzy Hash: eda246a229c0365aa2ed2d573acdb73c9e790d6ae7833c3e1b999b590a68e9ff
Instruction Fuzzy Hash: E531727100D3459FC304EF64E8558AF77E8AE9A314F446A2DF4E2631A1EB30AA09D763

Function 00E7E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00E7E645

Strings

1#QNAN, xrefs: 00E7F84B
1#SNAN, xrefs: 00E7F844
1#IND, xrefs: 00E7F83D
1#INF, xrefs: 00E7F852

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c042906b44b52d05239c06e5fd8d32ccc7da0edd1f8ba3f852942a8c388dc3af
Instruction ID: 58a0f769a54dbd9bfde5d09c8e8f59e997df20bc96f32fa46e0062ab8b5b5e98
Opcode Fuzzy Hash: c042906b44b52d05239c06e5fd8d32ccc7da0edd1f8ba3f852942a8c388dc3af
Instruction Fuzzy Hash: D9C22972E086298FDB29CE28DD407EAB7B5EB49305F1491EAD44DF7241E774AE818F40

Function 00EB648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EB64DC
CoInitialize.OLE32(00000000), ref: 00EB6639
CoCreateInstance.OLE32(00EDFCF8,00000000,00000001,00EDFB68,?), ref: 00EB6650
CoUninitialize.OLE32 ref: 00EB68D4

Strings

.lnk, xrefs: 00EB64BA, 00EB6524, 00EB65E0

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: fe8ef9693371eac7437e0c73065c1cd0df05249df03aa415dcaf6ff40f9835b7
Instruction ID: 02cd940b522b5d10f01e5dbef5662dde1e220d0bf1849d1a1ec407f7d4b10e2c
Opcode Fuzzy Hash: fe8ef9693371eac7437e0c73065c1cd0df05249df03aa415dcaf6ff40f9835b7
Instruction Fuzzy Hash: C7D159716093019FC314EF24D881DABB7E8FF98304F14596DF595AB2A2DB31E909CB92

Function 00EC22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00EC22E8

Part of subcall function 00EBE4EC: GetWindowRect.USER32(?,?), ref: 00EBE504

GetDesktopWindow.USER32 ref: 00EC2312
GetWindowRect.USER32(00000000), ref: 00EC2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00EC2355
GetCursorPos.USER32(?), ref: 00EC2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EC23DF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 37a9a07ca519b937aa0d9ffbd10db3a1f52df991e58420d3fe5b8ab4b589edb2
Instruction ID: c8e071173daab4885897037d8360d8b41836da500d2418ea1a607264b72aa621
Opcode Fuzzy Hash: 37a9a07ca519b937aa0d9ffbd10db3a1f52df991e58420d3fe5b8ab4b589edb2
Instruction Fuzzy Hash: 2031DE72105346AFCB20DF19D904F9BB7A9FB88714F10191EF984A7181DA35E909CB92

Function 00EB9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EB9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EB9C8B

Part of subcall function 00EB3874: GetInputState.USER32 ref: 00EB38CB
Part of subcall function 00EB3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EB3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EB9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EB9C75

Strings

*.*, xrefs: 00EB9B5D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: d735f93a7f136cb9f5ccf4c9b4e886e08617fd52e912c8e82caf59f84362144f
Instruction ID: 4ca11864184f32fdc87c7695ca01d3f37928dcfa101a1ea79a50892fb97972ff
Opcode Fuzzy Hash: d735f93a7f136cb9f5ccf4c9b4e886e08617fd52e912c8e82caf59f84362144f
Instruction Fuzzy Hash: 68417E7194020A9FCF14DFA4D889AEEBBF4EF05354F245156E505B21A2EB309E44CF60

Function 00E5997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E59A4E
GetSysColor.USER32(0000000F), ref: 00E59B23
SetBkColor.GDI32(?,00000000), ref: 00E59B36

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 213502412a30f1875ae5b618d1ba164bc9f80fc7f00d9c6b2d1653436be6ecb7
Instruction ID: e991aa8b500467bcff86a0bf8d9b0af14f6a31608b24ad48844238fbb28bfacc
Opcode Fuzzy Hash: 213502412a30f1875ae5b618d1ba164bc9f80fc7f00d9c6b2d1653436be6ecb7
Instruction Fuzzy Hash: 36A15CB0218144FEEB289A3C8C48DFB369DEB42346F15790AF942F66D3CA259D0DD275

Function 00EC1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EC307A
Part of subcall function 00EC304E: _wcslen.LIBCMT ref: 00EC309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00EC185D
WSAGetLastError.WSOCK32 ref: 00EC1884
bind.WSOCK32(00000000,?,00000010), ref: 00EC18DB
WSAGetLastError.WSOCK32 ref: 00EC18E6
closesocket.WSOCK32(00000000), ref: 00EC1915

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f4996a1eca3ff34f356ac2be4f6ac43b42c422a45d01fbbf01928fc6e9082fff
Instruction ID: b5783655b5d5dd336b8adc63228a01c7edf4873f55daa6c4781a9d80b1151601
Opcode Fuzzy Hash: f4996a1eca3ff34f356ac2be4f6ac43b42c422a45d01fbbf01928fc6e9082fff
Instruction Fuzzy Hash: 6251E071A00200AFDB10AF24D986F2AB7E5AB45718F18948CF9057F383C771AD42CBA1

Function 00ED1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00ED1CC0
IsWindowEnabled.USER32 ref: 00ED1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00ED1CDB
IsIconic.USER32 ref: 00ED1CE9
IsZoomed.USER32 ref: 00ED1CF7

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 1b50ff85a8d3833de12ed6d54c1bd1550aa30b99db8053251d17bcccbd06f523
Instruction ID: e0fc917365b182e51e0d5c97e3f1d18c1ae5abecbd80f083b9012200fb4439b4
Opcode Fuzzy Hash: 1b50ff85a8d3833de12ed6d54c1bd1550aa30b99db8053251d17bcccbd06f523
Instruction Fuzzy Hash: B92127317512016FD7248F2AD844B6ABBE5EF84319F29A09EE846EB351C771EC43CB90

Function 00E48060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00E85DF0
VUUU, xrefs: 00E483E8
VUUU, xrefs: 00E483FA
ERCP, xrefs: 00E4813C
VUUU, xrefs: 00E4843C

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 688611b9938f8d8cfb817c40f6345a22bc7d83e6869e7e19ae9150cbacae0f63
Instruction ID: f0e7da436bc44c66b1d1775b697bfc4a048daea386c54bd7bbe5877b18365af5
Opcode Fuzzy Hash: 688611b9938f8d8cfb817c40f6345a22bc7d83e6869e7e19ae9150cbacae0f63
Instruction Fuzzy Hash: C0A28C71A0021ACBDF24DF58D9407EEB7B1BB54318F2491AAE81DB7285EB749D81CF90

Function 00EAAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00EAAAAC
SetKeyboardState.USER32(00000080), ref: 00EAAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00EAAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00EAAB88

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5a9c2462101e06a0ae1594722ff01e83c2344e1124dba40515f6a2633883d44c
Instruction ID: 2d8f3c3ecfad7c31784d8087dade4d7c92fd67736f94431bb4c98fc56a59922c
Opcode Fuzzy Hash: 5a9c2462101e06a0ae1594722ff01e83c2344e1124dba40515f6a2633883d44c
Instruction Fuzzy Hash: 83312B30A40308AEEB308A65CC05BFA77E6AB4E314F18622AE0817A1D1D374A985C772

Function 00E7BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E7BB7F

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

GetTimeZoneInformation.KERNEL32 ref: 00E7BB91
WideCharToMultiByte.KERNEL32(00000000,?,00F1121C,000000FF,?,0000003F,?,?), ref: 00E7BC09
WideCharToMultiByte.KERNEL32(00000000,?,00F11270,000000FF,?,0000003F,?,?,?,00F1121C,000000FF,?,0000003F,?,?), ref: 00E7BC36

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: f52765e34293b2832cf2a72d25287eef7862accf663482615e4a9c2df115381d
Instruction ID: 6d607be3d04e0246fb6855263479aafd5a9ae002522056493ea0cfcdb9962975
Opcode Fuzzy Hash: f52765e34293b2832cf2a72d25287eef7862accf663482615e4a9c2df115381d
Instruction Fuzzy Hash: 4C31F270904249EFCB11DF69DC80AA9BBB8FF45350B15D2AAE118FB2A1C7709D41EB50

Function 00EBCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00EBCE89
GetLastError.KERNEL32(?,00000000), ref: 00EBCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00EBCEFE

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e0b84d36dc232042125b3e49e1b8e53341daeab533a43a62280452eb8958fea7
Instruction ID: 604334c2866849024459bec55f17169701b04b29556e9b6a7e0d2b70db844d2b
Opcode Fuzzy Hash: e0b84d36dc232042125b3e49e1b8e53341daeab533a43a62280452eb8958fea7
Instruction Fuzzy Hash: 7D21AC71608706DFDB209FA5E948BA777F8EB00358F20541AE646E2151E770EA08CBA0

Function 00EA8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EA82AA

Strings

(, xrefs: 00EA82F0
|, xrefs: 00EA82DA

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 8369f215e1ec802fec1cdf9656bb4c9b69abc07e453ac86ad29df9e3b27a4680
Instruction ID: a4323a4e47fdb3d6ebcc9c043bafdae6fcd56d01f9ed86c09140408016711286
Opcode Fuzzy Hash: 8369f215e1ec802fec1cdf9656bb4c9b69abc07e453ac86ad29df9e3b27a4680
Instruction Fuzzy Hash: CA323574A007059FCB28CF59C581AAAB7F0FF48714B15D56EE49AEB3A1EB70E941CB40

Function 00EB5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EB5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00EB5D17
FindClose.KERNEL32(?), ref: 00EB5D5F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 9fea8dfe7bb2add8d6d4e1355389758682d85afba364ce823acd57f56e1266aa
Instruction ID: e61b962e254d0f028e4fc59aed72b2fedef3e06ccd89daed40eac57bfd05bf69
Opcode Fuzzy Hash: 9fea8dfe7bb2add8d6d4e1355389758682d85afba364ce823acd57f56e1266aa
Instruction Fuzzy Hash: 9C51AA75604A019FC714CF28D494A96B7E4FF49318F24965EE99AAB3A1CB30FD04CF91

Function 00E72622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00E7271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E72724
UnhandledExceptionFilter.KERNEL32(?), ref: 00E72731

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 54fd4f21b4f81ae6a2d426225aa8dcc6de1ea72e5210a0badfffee44c5461969
Instruction ID: c5c1d3c0dd03271da6c693d085602d89b81c3d34c122a858ffbc33d01a3db0fe
Opcode Fuzzy Hash: 54fd4f21b4f81ae6a2d426225aa8dcc6de1ea72e5210a0badfffee44c5461969
Instruction Fuzzy Hash: 7C31D574D5122D9BCB21DF68DD8879DB7B8AF08350F5052EAE91CA7260E7309F858F44

Function 00EB51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EB51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EB5238
SetErrorMode.KERNEL32(00000000), ref: 00EB52A1

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 26b6c16d751b8bee3c797ba98abdf866d9a36a3524e3462942f80fbf32e2d7c1
Instruction ID: f4924257ee179838f7c612a5fe09ec43a6d601e6c709565d2b84f9870286c2b1
Opcode Fuzzy Hash: 26b6c16d751b8bee3c797ba98abdf866d9a36a3524e3462942f80fbf32e2d7c1
Instruction Fuzzy Hash: 9D316B35A00518DFDB00DF54D884EAEBBF4FF09318F188099E805AB362CB35E84ACB90

Function 00EA16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E60668
Part of subcall function 00E5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E60685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EA170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EA173A
GetLastError.KERNEL32 ref: 00EA174A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 5904f188d9f716a7c273baf853196e6d34c620c6da9a52b0f65ffffadd52b5c5
Instruction ID: 8038ef606234dc1b52faec3812050c316e9181108154f33cfd3d4bca9287e245
Opcode Fuzzy Hash: 5904f188d9f716a7c273baf853196e6d34c620c6da9a52b0f65ffffadd52b5c5
Instruction Fuzzy Hash: A31101B2400305AFD7189F54EC86E6AB7F8EB09754B20856EF446A7241EB70BC45CB20

Function 00EAD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EAD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00EAD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EAD650

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2a077ebed2c4fa12a5f73b5384bd9e3711aeb6d98e78a61ca2c26c6f3db14f91
Instruction ID: 0da9eaed6b0fcae0cc36905c788bf1643e9f474e1db81ce83e2d5757476e2500
Opcode Fuzzy Hash: 2a077ebed2c4fa12a5f73b5384bd9e3711aeb6d98e78a61ca2c26c6f3db14f91
Instruction Fuzzy Hash: 39118EB1E05228BFDB108F95EC44FAFBBBCEB49B50F108152F904F7290C2705A058BA1

Function 00EA1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00EA168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EA16A1
FreeSid.ADVAPI32(?), ref: 00EA16B1

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5dbb4ad850b4aef1ba3818db497cb15726fe71f75ae37a5bfd20f1b8d85922af
Instruction ID: 2b7d307d7313f5549cb8882c87bef58c4204d0e4dddeee5cede7daeb92e2e947
Opcode Fuzzy Hash: 5dbb4ad850b4aef1ba3818db497cb15726fe71f75ae37a5bfd20f1b8d85922af
Instruction Fuzzy Hash: 92F0F471951309FFDF00DFE59C89AAEBBBCEB08644F5045A5E501E2181E774AA489A50

Function 00E9D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00E9D28C

Strings

X64, xrefs: 00E9D2A8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 127c0c3e2e492691856ebedaf245c628a6d0ca614bd562e6ee2c1ea1621d90e0
Instruction ID: 69e81a45222168db081b3cce7d3a7c486d2f104dfd537e7d85ea7d160790bab5
Opcode Fuzzy Hash: 127c0c3e2e492691856ebedaf245c628a6d0ca614bd562e6ee2c1ea1621d90e0
Instruction Fuzzy Hash: 48D0C9B480512DEECF90CB90EC88DD9B37CFB04345F100552F506B2080D73095488F10

Function 00E6CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f745cfb2b28293938f5a0d7ca4c6ebeac9b6fe71a102a0967cc08f798c8dd093
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 2F023B71E402199BDF14CFA9D8806ADFBF1EF88354F25916AD859FB380D731AA41CB90

Function 00EB68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EB6918
FindClose.KERNEL32(00000000), ref: 00EB6961

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: be000ff2110ff5b5e99c25d3c4690137ea75d5167baecfd13597eb7bf1aeb489
Instruction ID: af807acd4400e3ac72f522a9ed71dcc7d5735fcdecb7c4dc90e5a09430fe4113
Opcode Fuzzy Hash: be000ff2110ff5b5e99c25d3c4690137ea75d5167baecfd13597eb7bf1aeb489
Instruction Fuzzy Hash: 9B11E2316046019FC710CF29D484A16BBE1FF84328F14C699F8699F7A2C734EC05CB90

Function 00EB37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00EC4891,?,?,00000035,?), ref: 00EB37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00EC4891,?,?,00000035,?), ref: 00EB37F4

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bcb37172e9eaea9b52ff33dce189676370754b763500dbecb73dba15d283f60f
Instruction ID: 584da97fcfaef2656eecd55635d0db2d2e61d23699d3bfb2fcdd126aa33abf65
Opcode Fuzzy Hash: bcb37172e9eaea9b52ff33dce189676370754b763500dbecb73dba15d283f60f
Instruction Fuzzy Hash: 60F0EC707052356AD71017B66C4DFDB779DEFC4761F100166F509F2191D9605904C7B0

Function 00EAB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00EAB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00EAB270

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 131b2d1f9c689ffc3f1755cefac5018edd2efba88b509b9a8f17a2654ab7ae37
Instruction ID: f100df0233d6cb4157fc50c658961a1c90523dd702393bc27f4870fa254b78ab
Opcode Fuzzy Hash: 131b2d1f9c689ffc3f1755cefac5018edd2efba88b509b9a8f17a2654ab7ae37
Instruction Fuzzy Hash: D9F06D7080424EAFDB058FA1D805BEE7BB4FF08309F10804AF951A91A2C3799205DFA4

Function 00EA10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EA11FC), ref: 00EA10D4
CloseHandle.KERNEL32(?,?,00EA11FC), ref: 00EA10E9

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 996e0d8070651ac13fcd1bb66a07fe57d8ba2dfd3393f8f8a1e91c4107e3fe32
Instruction ID: 0d29c5fde237f6591117c915852a5adc3110294861df175df5346124028f6932
Opcode Fuzzy Hash: 996e0d8070651ac13fcd1bb66a07fe57d8ba2dfd3393f8f8a1e91c4107e3fe32
Instruction Fuzzy Hash: 04E04F32008601AEE7252B11FC06F7377E9EB04321F20882EF9A5904B1DB626C94DB10

Function 00E4CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00E90C40

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: ecf939e3cb9d311f686b5e39df0f9eb3a3eea7596895a7452b597018e89d79ca
Instruction ID: 3895e5ae798c2d95135c5af48b799497c9a463ae74e532670823b01b8408a686
Opcode Fuzzy Hash: ecf939e3cb9d311f686b5e39df0f9eb3a3eea7596895a7452b597018e89d79ca
Instruction Fuzzy Hash: 4D328C70A01218DFCF54DF90E881AEDB7F5BF04308F646069E806BB292D775AE49CB51

Function 00E7676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E76766,?,?,00000008,?,?,00E7FEFE,00000000), ref: 00E76998

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c4e062eb8f3ef88bf291c4039619f478634e0f4db52d0be5de11fc8545ebe67c
Instruction ID: 288c9deec47d916d0f88ff407f3ef69113f65278fb31594c8d494ade3caa8b58
Opcode Fuzzy Hash: c4e062eb8f3ef88bf291c4039619f478634e0f4db52d0be5de11fc8545ebe67c
Instruction Fuzzy Hash: D1B15A31510A099FEB19CF28C486BA47BA0FF4536CF25D658E99DDF2A2C335D985CB40

Function 00E5B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00E9851F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 27f27ef3bcaffaea332546f642ab64086685eae004bac4d2db74eede92c3336a
Instruction ID: 66d51a5b02c6600f08322ad3bf127e337dbbadeda0578f60d534046f4f0728a4
Opcode Fuzzy Hash: 27f27ef3bcaffaea332546f642ab64086685eae004bac4d2db74eede92c3336a
Instruction Fuzzy Hash: 65125E719002299FCF24CF58C9806EEB7F5FF48710F1495AAE849FB251EB309A85CB90

Function 00EBEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EBEABD

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1294b131ae9ee6417c5b89271af1979ba5c180dd9bc59e376be93220a9a760cd
Instruction ID: eabadcdb31dab44adf2383981fd2a70825f3b97093efa623a671b3c8c92d5891
Opcode Fuzzy Hash: 1294b131ae9ee6417c5b89271af1979ba5c180dd9bc59e376be93220a9a760cd
Instruction Fuzzy Hash: 61E01A312002049FC710EF6AE804EDAF7EDAF987A0F109416FC49E7391DA74E8448B90

Function 00E609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00E603EE), ref: 00E609DA

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 128992c9a0924e98686d029631696cc138958293d2a4f309f701d02586dc4cb1
Instruction ID: a51352dea29d5da1aae6c28f4b69eb0c5a151e18a0a3b1a529b1576b1b15d2aa
Opcode Fuzzy Hash: 128992c9a0924e98686d029631696cc138958293d2a4f309f701d02586dc4cb1
Instruction Fuzzy Hash:

Function 00E6781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00E6798B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e28de22f18323e8738e4032b13a837609c76468a38f2786d242f951a0b6e3ed0
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 815175616CC7155ADB3C8578B95A7FE67D59B823CCF183A09D8C2F7282C611EE41C352

Function 00E76DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c0a90d39b8f0880a393ad7422cafc973ccc430c49948ee9628ca16e5862d6e
Instruction ID: d3b2989061178b3841704a7c655c19f9a09ee567bd8e524cc4acd4cc21fbcdd1
Opcode Fuzzy Hash: c4c0a90d39b8f0880a393ad7422cafc973ccc430c49948ee9628ca16e5862d6e
Instruction Fuzzy Hash: 61327722D28F454DD7239A35CC62335664DAFB33C9F15E33BF86AB99A5EB28C4834100

Function 00E5CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23015ca265ea2371c5dc6969254b61d8b32be6b128f0564d495978259327052d
Instruction ID: 3b41a8e60b8ed503fe562693d5582591b50509ffd18e6437e78d4309345cc5ab
Opcode Fuzzy Hash: 23015ca265ea2371c5dc6969254b61d8b32be6b128f0564d495978259327052d
Instruction Fuzzy Hash: E3324D31A002458FDF24EF28C4A46BDBBA1EF45309F38A966D95AF7292D330DD85DB41

Function 00E47920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cc6ac88b6cec5d087643dba9ab4820af3e7f50a47e344f1cc1f5926eebda0b
Instruction ID: 9418db575c0d50f9fca21dbfc9c19f26433baccc40a183e888a55ba99e9508dd
Opcode Fuzzy Hash: b4cc6ac88b6cec5d087643dba9ab4820af3e7f50a47e344f1cc1f5926eebda0b
Instruction Fuzzy Hash: BA22AFB1A006099FDF14DF64D881AEEB3F6FF48304F146529E85AB7291EB359D14CB90

Function 00E491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d735631050d6a338ea9e5e54f57837e4a3c7b9ffb300f7a2a2d6111f3b324b5a
Instruction ID: 892e1c86a3e8f8972cbee48e23541117006a2f91213e732a5c85686458c9c86b
Opcode Fuzzy Hash: d735631050d6a338ea9e5e54f57837e4a3c7b9ffb300f7a2a2d6111f3b324b5a
Instruction Fuzzy Hash: DD02A6B1E00119EBDB04EF64D881AAEB7F5FF44304F109565E81ABB391EB31AE14CB95

Function 00E79EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1737cf7944651f8ce679964b7215a09e5dfaa4a85c1b3a9c82f525a178b9a9ff
Instruction ID: 84c53d66de31f4a72bf1407f37cd623394cc4164eac872639898fb2eeac84ca1
Opcode Fuzzy Hash: 1737cf7944651f8ce679964b7215a09e5dfaa4a85c1b3a9c82f525a178b9a9ff
Instruction Fuzzy Hash: C3B12520D2AF844DC323963A8875336B65CAFBB6C5F91D31BFC2679D22EB2285874140

Function 00E61C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 62f2a4ea21fa1a55fb805f44a572373cda1a1855bd72bbb6e4de06213bb6d9dd
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F79178726480E34ADB2F463AA57407DFFE15A923E631E27DED4F2DA1C1EE20C554E620

Function 00E61F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 6f5aee6c93aaa1a79c9f8099a5a29e2a2d8b2280f489c304f636a17c845e3d6a
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 3891B67224D4E30ADB6E4239943407EFFE15A923E530E17DDD5F2EB1C1EE248954E620

Function 00E619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 7320e47ab629cd8acb4662a514797d1a60cd5577a2dca0ae13fc3e28191ed449
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 9E91A3322490E34ADB2F427AA57407DFFE15A923E631E27DDD4F2EA1C1FD148554E620

Function 00E67A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc81c82a6aefd173da273a4439c703ea70c765aeea8ca6fd5c29bf869fa744fe
Instruction ID: bbce84a6cb32f16bc6df218121047e9c2ecbbbb2aa125f319845ce9af0b00e5f
Opcode Fuzzy Hash: bc81c82a6aefd173da273a4439c703ea70c765aeea8ca6fd5c29bf869fa744fe
Instruction Fuzzy Hash: 2B6179312C830956DA349A68BDA5BFE63D6DF417CCF103A19E8C2FB281DA119E42C315

Function 00E67CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8886071ef8d770af383eebb9520f45e43df3b2e81ea008822f76a9053935d752
Instruction ID: acce68d2c9d1cb7493d9f2f368231ab79c07bbd2f7d52aaa4c641c710ae7b0d9
Opcode Fuzzy Hash: 8886071ef8d770af383eebb9520f45e43df3b2e81ea008822f76a9053935d752
Instruction Fuzzy Hash: 8A6179316C870956DA388A28B955BBF23C49F437CCF103D5EE9C2FB281EA12AD46C355

Function 00E61706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5859ae1b45b1b9b2fc35fea00232732fc3132899b43aa822de467bfdc7a691be
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 3D8161726480E30ADB6F823A953407EFFE15A923E531E27DED4F2DB1C1EE249554E620

Function 00EB2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b2d792071d3d466ff05be23aaf14e1eefe31ddf6e4b421f8706f09f2ad14eb
Instruction ID: 75457d5ac0c09eb27e5ff6bf8dd96618d0c348003039c38630c43e025da7ed2e
Opcode Fuzzy Hash: f2b2d792071d3d466ff05be23aaf14e1eefe31ddf6e4b421f8706f09f2ad14eb
Instruction Fuzzy Hash: C721E7323206158BDB28CF79C8236BE73E5AB54310F158A2EE4A7D33D0DE35A904DB80

Function 00E5D071 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eccedda4d59d461ace39051ca89190d02fb05e6e9ef7f3bff90add423f835b6
Instruction ID: d93f52d3f7135b4b8f3aa4e95b6eea1228a09e60594e80fd9dd8b36be13ecfd8
Opcode Fuzzy Hash: 5eccedda4d59d461ace39051ca89190d02fb05e6e9ef7f3bff90add423f835b6
Instruction Fuzzy Hash: B9F0DE0204DEDABBCB5B0622987F1A66FB0C84702422807CF849B06BD79BCC109DC352

Function 00EC2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EC2B30
DeleteObject.GDI32(00000000), ref: 00EC2B43
DestroyWindow.USER32 ref: 00EC2B52
GetDesktopWindow.USER32 ref: 00EC2B6D
GetWindowRect.USER32(00000000), ref: 00EC2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00EC2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00EC2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2CF8
GetClientRect.USER32(00000000,?), ref: 00EC2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00EC2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2D80
GlobalLock.KERNEL32(00000000), ref: 00EC2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2D98
GlobalUnlock.KERNEL32(00000000), ref: 00EC2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2DA8
GlobalFree.KERNEL32(00000000), ref: 00EC2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00EDFC38,00000000), ref: 00EC2DDB
GlobalFree.KERNEL32(00000000), ref: 00EC2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00EC2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00EC2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC303F

Strings

, xrefs: 00EC2FC5
static, xrefs: 00EC2D3A, 00EC2E91
AutoIt v3, xrefs: 00EC2CF2
DISPLAY, xrefs: 00EC2EA2

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 30f87ed827aeecfe911223f58ce8a4b71d1e09d8ef01470de223ace09725f984
Instruction ID: 827ee94c17b2a395d80f7bb784f8655bdf822858598a4407694c863e6c25240c
Opcode Fuzzy Hash: 30f87ed827aeecfe911223f58ce8a4b71d1e09d8ef01470de223ace09725f984
Instruction Fuzzy Hash: 1F028871A00219AFDB14CF65DD89EAEBBB9EB48750F10811DF915BB2A0CB35ED05CB60

Function 00ED70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00ED712F
GetSysColorBrush.USER32(0000000F), ref: 00ED7160
GetSysColor.USER32(0000000F), ref: 00ED716C
SetBkColor.GDI32(?,000000FF), ref: 00ED7186
SelectObject.GDI32(?,?), ref: 00ED7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00ED71C0
GetSysColor.USER32(00000010), ref: 00ED71C8
CreateSolidBrush.GDI32(00000000), ref: 00ED71CF
FrameRect.USER32(?,?,00000000), ref: 00ED71DE
DeleteObject.GDI32(00000000), ref: 00ED71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00ED7230
FillRect.USER32(?,?,?), ref: 00ED7262
GetWindowLongW.USER32(?,000000F0), ref: 00ED7284

Part of subcall function 00ED73E8: GetSysColor.USER32(00000012), ref: 00ED7421
Part of subcall function 00ED73E8: SetTextColor.GDI32(?,?), ref: 00ED7425
Part of subcall function 00ED73E8: GetSysColorBrush.USER32(0000000F), ref: 00ED743B
Part of subcall function 00ED73E8: GetSysColor.USER32(0000000F), ref: 00ED7446
Part of subcall function 00ED73E8: GetSysColor.USER32(00000011), ref: 00ED7463
Part of subcall function 00ED73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00ED7471
Part of subcall function 00ED73E8: SelectObject.GDI32(?,00000000), ref: 00ED7482
Part of subcall function 00ED73E8: SetBkColor.GDI32(?,00000000), ref: 00ED748B
Part of subcall function 00ED73E8: SelectObject.GDI32(?,?), ref: 00ED7498
Part of subcall function 00ED73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00ED74B7
Part of subcall function 00ED73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00ED74CE
Part of subcall function 00ED73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00ED74DB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e17c6cb1664f58ae0a9866a1ef58021443df70ea98f432ff11238627f23e9be4
Instruction ID: c9843158cc381d81fb8e6334725b3db8d135ca083aede7d5ba52e481a272b33c
Opcode Fuzzy Hash: e17c6cb1664f58ae0a9866a1ef58021443df70ea98f432ff11238627f23e9be4
Instruction Fuzzy Hash: 4BA1B67100A312AFDB009F61EC48E5BB7A9FF49364F201B1AF9A2B61E1D731D949CB51

Function 00E58D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00E58E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E96AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E96AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E96F43

Part of subcall function 00E58F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E58BE8,?,00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E58FC5

SendMessageW.USER32(?,00001053), ref: 00E96F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E96F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00E96FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00E96FB7

Strings

0, xrefs: 00E96DCF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 6c8cb1f6cb4c5175acbf6c2fe1a67ffe81d6365db8f0ab4d8ce9395852b4b5d8
Instruction ID: c343cd5c512723a429fc8696b2de08031cfb253d03dade884c5bf1002dad8b69
Opcode Fuzzy Hash: 6c8cb1f6cb4c5175acbf6c2fe1a67ffe81d6365db8f0ab4d8ce9395852b4b5d8
Instruction Fuzzy Hash: 2B12EC30201201EFDB25CF24D985BAAB7F1FB44305F64A42AF995BB261CB31EC56DB91

Function 00EC2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00EC273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EC286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00EC28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00EC28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00EC2900
GetClientRect.USER32(00000000,?), ref: 00EC290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00EC2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EC2964
GetStockObject.GDI32(00000011), ref: 00EC2974
SelectObject.GDI32(00000000,00000000), ref: 00EC2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00EC2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EC2991
DeleteDC.GDI32(00000000), ref: 00EC299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EC29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00EC29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00EC2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EC2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00EC2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00EC2A77
GetStockObject.GDI32(00000011), ref: 00EC2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EC2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00EC2A97

Strings

msctls_progress32, xrefs: 00EC2A13
static, xrefs: 00EC294F, 00EC2A71
AutoIt v3, xrefs: 00EC28F8
DISPLAY, xrefs: 00EC295A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 622af39e8d8297870e511d33b3c4cca8ccd49367dd94bed867a907842baaa71f
Instruction ID: 4a030619d16aba4dbd159d14c1a026e0f3e2e57f5f9ca204d2b43cbb28306a59
Opcode Fuzzy Hash: 622af39e8d8297870e511d33b3c4cca8ccd49367dd94bed867a907842baaa71f
Instruction Fuzzy Hash: DAB15D71A00219AFEB14DF69DD85FAEBBA9FB48710F108519FA14EB290D774ED01CB90

Function 00EB4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EB4AED
GetDriveTypeW.KERNEL32(?,00EDCB68,?,\\.\,00EDCC08), ref: 00EB4BCA
SetErrorMode.KERNEL32(00000000,00EDCB68,?,\\.\,00EDCC08), ref: 00EB4D36

Strings

1394, xrefs: 00EB4C9F
Virtual, xrefs: 00EB4CE5
SAS, xrefs: 00EB4CC9
Unknown, xrefs: 00EB4BED, 00EB4C83
SSA, xrefs: 00EB4CA6
Removable, xrefs: 00EB4C10, 00EB4C15
USB, xrefs: 00EB4CB4
FileBackedVirtual, xrefs: 00EB4CEC
MMC, xrefs: 00EB4CDE
ATA, xrefs: 00EB4C98
CDROM, xrefs: 00EB4BFB
\\.\, xrefs: 00EB4B3F
Network, xrefs: 00EB4C02
PhysicalDrive, xrefs: 00EB4B76
Fixed, xrefs: 00EB4C09
Fibre, xrefs: 00EB4CAD
ATAPI, xrefs: 00EB4C91
SSD, xrefs: 00EB4C4A
SATA, xrefs: 00EB4CD0
iSCSI, xrefs: 00EB4CC2
SCSI, xrefs: 00EB4C8A
RAMDisk, xrefs: 00EB4BF4
RAID, xrefs: 00EB4CBB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: fac8c8204e0fe19e7a885f1839b95069b2ffad6c234be0cc1afa3d67f160cc3b
Instruction ID: 697f2f391c1b6108d36f96d29e07087026614b21abfa2262b266196be4a2461e
Opcode Fuzzy Hash: fac8c8204e0fe19e7a885f1839b95069b2ffad6c234be0cc1afa3d67f160cc3b
Instruction Fuzzy Hash: 5961C4B16061069BDB04DF14CA81AFABBA0AB44B44B20A415F846FB6D3DB35ED45FF42

Function 00ED73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00ED7421
SetTextColor.GDI32(?,?), ref: 00ED7425
GetSysColorBrush.USER32(0000000F), ref: 00ED743B
GetSysColor.USER32(0000000F), ref: 00ED7446
CreateSolidBrush.GDI32(?), ref: 00ED744B
GetSysColor.USER32(00000011), ref: 00ED7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00ED7471
SelectObject.GDI32(?,00000000), ref: 00ED7482
SetBkColor.GDI32(?,00000000), ref: 00ED748B
SelectObject.GDI32(?,?), ref: 00ED7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00ED74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00ED74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00ED74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ED752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00ED7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00ED7572
DrawFocusRect.USER32(?,?), ref: 00ED757D
GetSysColor.USER32(00000011), ref: 00ED758E
SetTextColor.GDI32(?,00000000), ref: 00ED7596
DrawTextW.USER32(?,00ED70F5,000000FF,?,00000000), ref: 00ED75A8
SelectObject.GDI32(?,?), ref: 00ED75BF
DeleteObject.GDI32(?), ref: 00ED75CA
SelectObject.GDI32(?,?), ref: 00ED75D0
DeleteObject.GDI32(?), ref: 00ED75D5
SetTextColor.GDI32(?,?), ref: 00ED75DB
SetBkColor.GDI32(?,?), ref: 00ED75E5

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c881953b4ec6eb2e1f853eaac1bf6e43dee9d3fd515c42884f33496de0fc77ab
Instruction ID: 7b3e91065f736fb192d551bc820d4e2502216e8e63f0c4017f3366ea38885848
Opcode Fuzzy Hash: c881953b4ec6eb2e1f853eaac1bf6e43dee9d3fd515c42884f33496de0fc77ab
Instruction Fuzzy Hash: 05617E72901219AFDF019FA5EC49EEEBFB9EB08360F204116F915BB2A1D7709941CB90

Function 00ED0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00ED1128
GetDesktopWindow.USER32 ref: 00ED113D
GetWindowRect.USER32(00000000), ref: 00ED1144
GetWindowLongW.USER32(?,000000F0), ref: 00ED1199
DestroyWindow.USER32(?), ref: 00ED11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00ED11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ED120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00ED121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00ED1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00ED1245
IsWindowVisible.USER32(00000000), ref: 00ED12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00ED12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00ED12D0
GetWindowRect.USER32(00000000,?), ref: 00ED12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00ED130E
GetMonitorInfoW.USER32(00000000,?), ref: 00ED1328
CopyRect.USER32(?,?), ref: 00ED133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00ED13AA

Strings

(, xrefs: 00ED131B
tooltips_class32, xrefs: 00ED11E6
0, xrefs: 00ED10D3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 77575c93e99b111f8decd8eba502c17c7378c6b4bc3189c95f24cfa1fa4e4881
Instruction ID: da723d3c6420e06c84cacd83655ebf8bbdd0553d6d8445937e901d0932896e4e
Opcode Fuzzy Hash: 77575c93e99b111f8decd8eba502c17c7378c6b4bc3189c95f24cfa1fa4e4881
Instruction Fuzzy Hash: DDB19C71608341AFD700DF65D884B6BFBE4FF88744F00995AF999AB2A1C731E845CB92

Function 00E58891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E58968
GetSystemMetrics.USER32(00000007), ref: 00E58970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E5899B
GetSystemMetrics.USER32(00000008), ref: 00E589A3
GetSystemMetrics.USER32(00000004), ref: 00E589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E58A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E58A3C
GetClientRect.USER32(00000000,000000FF), ref: 00E58A5A
GetStockObject.GDI32(00000011), ref: 00E58A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E58A81

Part of subcall function 00E5912D: GetCursorPos.USER32(?), ref: 00E59141
Part of subcall function 00E5912D: ScreenToClient.USER32(00000000,?), ref: 00E5915E
Part of subcall function 00E5912D: GetAsyncKeyState.USER32(00000001), ref: 00E59183
Part of subcall function 00E5912D: GetAsyncKeyState.USER32(00000002), ref: 00E5919D

SetTimer.USER32(00000000,00000000,00000028,00E590FC), ref: 00E58AA8

Strings

AutoIt v3 GUI, xrefs: 00E58A20

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 946b04e1571a1c5811f008c24649b27daea8bc641e72b9adfd3104164745c8f0
Instruction ID: 73f8f8ee1e6f29df2936b7f1b377a37e27838e6dc3b269f5826552ca37b6aa5a
Opcode Fuzzy Hash: 946b04e1571a1c5811f008c24649b27daea8bc641e72b9adfd3104164745c8f0
Instruction Fuzzy Hash: 5FB17831A0020A9FDF14DFA8D945BEA3BB5FB48355F11962AFA15BB290DB30E845CB50

Function 00EA0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EA1114
Part of subcall function 00EA10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1120
Part of subcall function 00EA10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA112F
Part of subcall function 00EA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1136
Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EA114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EA0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EA0E29
GetLengthSid.ADVAPI32(?), ref: 00EA0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00EA0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EA0E96
GetLengthSid.ADVAPI32(?), ref: 00EA0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EA0EB5
HeapAlloc.KERNEL32(00000000), ref: 00EA0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EA0EDD
CopySid.ADVAPI32(00000000), ref: 00EA0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EA0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EA0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EA0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0F6E
HeapFree.KERNEL32(00000000), ref: 00EA0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0F7E
HeapFree.KERNEL32(00000000), ref: 00EA0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0F8E
HeapFree.KERNEL32(00000000), ref: 00EA0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00EA0FA1
HeapFree.KERNEL32(00000000), ref: 00EA0FA8

Part of subcall function 00EA1193: GetProcessHeap.KERNEL32(00000008,00EA0BB1,?,00000000,?,00EA0BB1,?), ref: 00EA11A1
Part of subcall function 00EA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EA0BB1,?), ref: 00EA11A8
Part of subcall function 00EA1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EA0BB1,?), ref: 00EA11B7

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 29a3ac5c173e3f594fb304f76c91bee8de59c3c3314ea47b540e777d058b093a
Instruction ID: 16fbed68407c8c04fae7a95c7b455eb0cf3460c74a471ad37adb8cd05d57456c
Opcode Fuzzy Hash: 29a3ac5c173e3f594fb304f76c91bee8de59c3c3314ea47b540e777d058b093a
Instruction Fuzzy Hash: 8E717F75A0121AEFDF209FA5EC44BAEBBB8FF09345F148116F915BA191D730A905CB60

Function 00ECC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00EDCC08,00000000,?,00000000,?,?), ref: 00ECC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00ECC5A4
_wcslen.LIBCMT ref: 00ECC5F4
_wcslen.LIBCMT ref: 00ECC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00ECC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00ECC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00ECC84D
RegCloseKey.ADVAPI32(?), ref: 00ECC881
RegCloseKey.ADVAPI32(00000000), ref: 00ECC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00ECC960

Strings

REG_EXPAND_SZ, xrefs: 00ECC5CD
REG_DWORD, xrefs: 00ECC804
REG_BINARY, xrefs: 00ECC913
REG_SZ, xrefs: 00ECC644
REG_QWORD, xrefs: 00ECC8C3
REG_MULTI_SZ, xrefs: 00ECC6F5

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8fa07c7e2e4432bf52192a4522d2b91b396b252b2ce07c9b178a8cfd7ee6eee1
Instruction ID: d19c3d68e5046ad5af4452db1188b4be7f871359e62b27b8531d50cdd2cce932
Opcode Fuzzy Hash: 8fa07c7e2e4432bf52192a4522d2b91b396b252b2ce07c9b178a8cfd7ee6eee1
Instruction Fuzzy Hash: 421258756042019FDB14DF14D981F2AB7E5EF88714F14985DF88AAB2A2DB35FC42CB81

Function 00ED091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00ED09C6
_wcslen.LIBCMT ref: 00ED0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00ED0A54
_wcslen.LIBCMT ref: 00ED0A8A
_wcslen.LIBCMT ref: 00ED0B06
_wcslen.LIBCMT ref: 00ED0B81

Part of subcall function 00E5F9F2: _wcslen.LIBCMT ref: 00E5F9FD

Part of subcall function 00EA2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EA2BFA

Strings

GETTEXT, xrefs: 00ED0C97
UNCHECK, xrefs: 00ED0D3E
CHECK, xrefs: 00ED0A85, 00ED0AA0
EXISTS, xrefs: 00ED0B7C, 00ED0B97
ISCHECKED, xrefs: 00ED0CE1
EXPAND, xrefs: 00ED0BF8
GETSELECTED, xrefs: 00ED0C4E
SELECT, xrefs: 00ED0D11
GETTOTALCOUNT, xrefs: 00ED09F2, 00ED0A17
COLLAPSE, xrefs: 00ED0B01, 00ED0B1C
GETITEMCOUNT, xrefs: 00ED0C1E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 322b61fa44fd1eb41f2c29b5514e0b887b756f3fdc3d3aa6bc557a8a5a56c23d
Instruction ID: 59977e36a3b3fb5cc884f906914e8222ba72c78ddf761ae62fc1f5816673bdd2
Opcode Fuzzy Hash: 322b61fa44fd1eb41f2c29b5514e0b887b756f3fdc3d3aa6bc557a8a5a56c23d
Instruction Fuzzy Hash: DDE15C316087019FC714DF24C450A6AB7E2FF98318F18595EF8966B3A2D731ED46DB81

Function 00ECC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ECB6AE,?,?), ref: 00ECC9B5
_wcslen.LIBCMT ref: 00ECC9F1
_wcslen.LIBCMT ref: 00ECCA68
_wcslen.LIBCMT ref: 00ECCA9E
_wcslen.LIBCMT ref: 00ECCAF9
_wcslen.LIBCMT ref: 00ECCB2F
_wcslen.LIBCMT ref: 00ECCB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 00ECCAF3, 00ECCAF8
HKEY_CURRENT_USER, xrefs: 00ECCBBD
HKCR, xrefs: 00ECCB29, 00ECCB2E
HKU, xrefs: 00ECCBF0
HKEY_LOCAL_MACHINE, xrefs: 00ECCA62, 00ECCA67
HKLM, xrefs: 00ECCA98, 00ECCA9D
HKCU, xrefs: 00ECCBCE
HKCC, xrefs: 00ECCBAC
HKEY_USERS, xrefs: 00ECCBDF
HKEY_CURRENT_CONFIG, xrefs: 00ECCB79, 00ECCB7E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 3a31276eab0cf72c76dda2a4f92c78e69c1d00d5436ed6bf87cbc5fea8913ee1
Instruction ID: 1f6345e48e902dd0a2c0449419dd776b1305353a85f2916a2679c3acba92258d
Opcode Fuzzy Hash: 3a31276eab0cf72c76dda2a4f92c78e69c1d00d5436ed6bf87cbc5fea8913ee1
Instruction Fuzzy Hash: 3571EA32A0052A8BCB10DE7CDA41FBB73919BA4758B35252CFC5EB7285E632DD46D350

Function 00ED833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ED835A
_wcslen.LIBCMT ref: 00ED836E
_wcslen.LIBCMT ref: 00ED8391
_wcslen.LIBCMT ref: 00ED83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00ED83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00ED361A,?), ref: 00ED844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00ED8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00ED84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00ED8501
FreeLibrary.KERNEL32(?), ref: 00ED850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ED851D
DestroyIcon.USER32(?), ref: 00ED852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00ED8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00ED8555

Strings

.exe, xrefs: 00ED8388
.dll, xrefs: 00ED83AB
.icl, xrefs: 00ED8368

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 4db1fb0400f97f3093d8ea484c7ccd6c2d8cfbb42ba5bee7f5ee0f8e2bd59adc
Instruction ID: 556a943fe3b21afc1117bc1a1e963ad7e1c92e7f77b652010cc43b7539b83df5
Opcode Fuzzy Hash: 4db1fb0400f97f3093d8ea484c7ccd6c2d8cfbb42ba5bee7f5ee0f8e2bd59adc
Instruction Fuzzy Hash: 29610171940216BEEB14DF64ED41BBF77A8FB04B51F10560AF815F62D0DB74A981C7A0

Function 00E47778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 00E4785F, 00E478B1
#ce, xrefs: 00E478ED
Unterminated group of comments, xrefs: 00E8528C
Cannot parse #include, xrefs: 00E85279
#include-once, xrefs: 00E4782F
", xrefs: 00E85153
#notrayicon, xrefs: 00E477E7
Bad directive syntax error, xrefs: 00E8519A
#cs, xrefs: 00E47873, 00E478C5
#comments-end, xrefs: 00E478D9
#include, xrefs: 00E47847
#pragma compile, xrefs: 00E477D3
#requireadmin, xrefs: 00E477FF
#OnAutoItStartRegister, xrefs: 00E47817
', xrefs: 00E85169

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 794fb84037858d73aeac576605f5ca3d96a0a66c80d72d25053d21ffed8cbe56
Instruction ID: 35380326381e831f8450b4f25175fd647433452b2d318bee3166df6c9ebf3f1e
Opcode Fuzzy Hash: 794fb84037858d73aeac576605f5ca3d96a0a66c80d72d25053d21ffed8cbe56
Instruction Fuzzy Hash: CD811471A40605BBDB20AF60EC46FAE77A8EF14340F006426F949BA292EF71D911C7D1

Function 00EB3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EB3EF8
_wcslen.LIBCMT ref: 00EB3F03
_wcslen.LIBCMT ref: 00EB3F5A
_wcslen.LIBCMT ref: 00EB3F98
GetDriveTypeW.KERNEL32(?), ref: 00EB3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EB401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EB4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EB4087

Strings

close, xrefs: 00EB3EFE, 00EB3F18
wait, xrefs: 00EB4044
closed, xrefs: 00EB3F08, 00EB3F2D, 00EB3F46, 00EB3F7E, 00EB3F97
set cd door , xrefs: 00EB4028
open , xrefs: 00EB3FE5
close cd wait, xrefs: 00EB4072
open, xrefs: 00EB3F54, 00EB3F59
type cdaudio alias cd wait, xrefs: 00EB4001

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 5e8d943e75a26f0cc183160a9b490d223f1991654b52991d170bc694528945b5
Instruction ID: 00e39425e9d7342ab6ecac960cbac45fe1e18ed59e5c3ae631c7ea30f12e09e5
Opcode Fuzzy Hash: 5e8d943e75a26f0cc183160a9b490d223f1991654b52991d170bc694528945b5
Instruction Fuzzy Hash: 7B71D271A042129FC310EF34D8818ABB7F4EF94758F10592DF995A7292EB31ED45CB92

Function 00EA5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00EA5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EA5A40
SetWindowTextW.USER32(?,?), ref: 00EA5A57
GetDlgItem.USER32(?,000003EA), ref: 00EA5A6C
SetWindowTextW.USER32(00000000,?), ref: 00EA5A72
GetDlgItem.USER32(?,000003E9), ref: 00EA5A82
SetWindowTextW.USER32(00000000,?), ref: 00EA5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EA5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EA5AC3
GetWindowRect.USER32(?,?), ref: 00EA5ACC
_wcslen.LIBCMT ref: 00EA5B33
SetWindowTextW.USER32(?,?), ref: 00EA5B6F
GetDesktopWindow.USER32 ref: 00EA5B75
GetWindowRect.USER32(00000000), ref: 00EA5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00EA5BD3
GetClientRect.USER32(?,?), ref: 00EA5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00EA5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EA5C2F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 37967337e00b6ad85399e146e7dc868ce6400c0fd4516819e6ea086952a6141b
Instruction ID: d5a49b9c2243cad6ee555788137c7efecbb871d2d7ca1f1d6c92504dd7213151
Opcode Fuzzy Hash: 37967337e00b6ad85399e146e7dc868ce6400c0fd4516819e6ea086952a6141b
Instruction Fuzzy Hash: AB718F32A00B09AFDB20DFA9CE45AAEBBF5FF48705F105519E152B65A0D774F904CB20

Function 00EBFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00EBFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00EBFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00EBFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00EBFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00EBFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00EBFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00EBFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00EBFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00EBFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00EBFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00EBFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00EBFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00EBFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00EBFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00EBFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00EBFECC
GetCursorInfo.USER32(?), ref: 00EBFEDC
GetLastError.KERNEL32 ref: 00EBFF1E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: e0e9008c97eb65a0a315d0579e7e3f9520d83c3d2be3caec7262159d270246d3
Instruction ID: b29a9e28769719299e68671fae57a3b997fb45f30db6980a55ac2dbcd2fb1eab
Opcode Fuzzy Hash: e0e9008c97eb65a0a315d0579e7e3f9520d83c3d2be3caec7262159d270246d3
Instruction Fuzzy Hash: C34152B0E053196ADB109FBA9C8986EBFE8FF04754B50452AE11DE7281DB78E901CE91

Function 00E600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00E600C6

Part of subcall function 00E600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F1070C,00000FA0,D7EC9407,?,?,?,?,00E823B3,000000FF), ref: 00E6011C
Part of subcall function 00E600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00E823B3,000000FF), ref: 00E60127
Part of subcall function 00E600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00E823B3,000000FF), ref: 00E60138
Part of subcall function 00E600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00E6014E
Part of subcall function 00E600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E6015C
Part of subcall function 00E600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E6016A
Part of subcall function 00E600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E60195
Part of subcall function 00E600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E601A0

___scrt_fastfail.LIBCMT ref: 00E600E7

Part of subcall function 00E600A3: __onexit.LIBCMT ref: 00E600A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E60122
WakeAllConditionVariable, xrefs: 00E60162
kernel32.dll, xrefs: 00E60133
SleepConditionVariableCS, xrefs: 00E60154
InitializeConditionVariable, xrefs: 00E60148

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a7645e602b5c32d63f77dcf0cb2204b227bd1783a8071797e39ed93401b418ba
Instruction ID: 3e7d46bf459501383869cd68b77511736f2309d770a671cf2e9054a1c1f2cc77
Opcode Fuzzy Hash: a7645e602b5c32d63f77dcf0cb2204b227bd1783a8071797e39ed93401b418ba
Instruction Fuzzy Hash: 2121F9326867266FD7105BA5BC06B6B33E5DB06BE1F10552BF902F32D1DFA09804CA91

Function 00EA30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EA318D
_wcslen.LIBCMT ref: 00EA31F8

Strings

REGEXPCLASS, xrefs: 00EA3255, 00EA3266
NAME, xrefs: 00EA3335, 00EA3346
TEXT, xrefs: 00EA347C
CLASS, xrefs: 00EA3188, 00EA31A5
CLASSNN, xrefs: 00EA31F3, 00EA3204
INSTANCE, xrefs: 00EA3453

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 349e6b88fbb4a2462886f3a671c6634c9a5a465f506f4ee1a77295b9269de164
Instruction ID: c0234be5378886f56790b59e41c73248ef3c9f871bc5a810344fa9b7e6e263bf
Opcode Fuzzy Hash: 349e6b88fbb4a2462886f3a671c6634c9a5a465f506f4ee1a77295b9269de164
Instruction Fuzzy Hash: 4FE1E431A005169BCB189FB8C4517EEFBB0BF5E754F14A119F466BB240DB30BE899B90

Function 00EB44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00EDCC08), ref: 00EB4527
_wcslen.LIBCMT ref: 00EB453B
_wcslen.LIBCMT ref: 00EB4599
_wcslen.LIBCMT ref: 00EB45F4
_wcslen.LIBCMT ref: 00EB463F
_wcslen.LIBCMT ref: 00EB46A7

Part of subcall function 00E5F9F2: _wcslen.LIBCMT ref: 00E5F9FD

GetDriveTypeW.KERNEL32(?,00F06BF0,00000061), ref: 00EB4743

Strings

network, xrefs: 00EB469D, 00EB46A2
removable, xrefs: 00EB45EA, 00EB45EF
fixed, xrefs: 00EB4635, 00EB463A
cdrom, xrefs: 00EB458F, 00EB4594
unknown, xrefs: 00EB4708
all, xrefs: 00EB4531, 00EB4536
ramdisk, xrefs: 00EB46F1

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 9279262e0fd6c007970a37ecfd89a055c6e3e4dff292c85e71ef11102b56c231
Instruction ID: 55f69feb1f740363d48bc1a0a36ea8ab85d7af3c303d7d6969fe606b4a92affb
Opcode Fuzzy Hash: 9279262e0fd6c007970a37ecfd89a055c6e3e4dff292c85e71ef11102b56c231
Instruction Fuzzy Hash: 9CB112B16083029FC710DF28D890AABB7E5AFA5764F50691DF496E72D2DB30D844CB92

Function 00EC3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EDCC08), ref: 00EC40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EC40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00EDCC08), ref: 00EC40F2
FreeLibrary.KERNEL32(00000000,?,00EDCC08), ref: 00EC413E
StringFromGUID2.OLE32(?,?,00000028,?,00EDCC08), ref: 00EC41A8
SysFreeString.OLEAUT32(00000009), ref: 00EC4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EC42C8
SysFreeString.OLEAUT32(?), ref: 00EC42F2

Strings

kernel32.dll, xrefs: 00EC40B6
GetModuleHandleExW, xrefs: 00EC40C7

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 22f43ac5a12cd3a1b3b3199ab6afb6ab910d9a6a85baa618e68953da5dc23623
Instruction ID: 2b7ab5c10520ee3fbf9a1bd894b1bcdbf729e91b122d3f1403002f1ffd4b72a4
Opcode Fuzzy Hash: 22f43ac5a12cd3a1b3b3199ab6afb6ab910d9a6a85baa618e68953da5dc23623
Instruction Fuzzy Hash: 3B125BB5A00105EFDB14DF54C994FAEB7B5FF84318F249098E915AB291C732ED46CBA0

Function 00E4326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F11990), ref: 00E82F8D
GetMenuItemCount.USER32(00F11990), ref: 00E8303D
GetCursorPos.USER32(?), ref: 00E83081
SetForegroundWindow.USER32(00000000), ref: 00E8308A
TrackPopupMenuEx.USER32(00F11990,00000000,?,00000000,00000000,00000000), ref: 00E8309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E830A9

Strings

0, xrefs: 00E4327D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 6f164dd52aed0b3e7601628cc9ed6417e7de630f25505cd46ec22d9d7ac19796
Instruction ID: 7a9a8a011d81d02838b951551ba85c51959b5acc6c36ef0ce773a54ed75871d3
Opcode Fuzzy Hash: 6f164dd52aed0b3e7601628cc9ed6417e7de630f25505cd46ec22d9d7ac19796
Instruction Fuzzy Hash: 4C712730640206BEEB219F75DC49FAABF68FF05768F205206F62C7A1E1C7B1A914DB54

Function 00ED6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00ED6DEB

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00ED6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00ED6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ED6E94
DestroyWindow.USER32(?), ref: 00ED6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E40000,00000000), ref: 00ED6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ED6EFD
GetDesktopWindow.USER32 ref: 00ED6F16
GetWindowRect.USER32(00000000), ref: 00ED6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00ED6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00ED6F4D

Part of subcall function 00E59944: GetWindowLongW.USER32(?,000000EB), ref: 00E59952

Strings

0, xrefs: 00ED6D98
tooltips_class32, xrefs: 00ED6E58, 00ED6EDD

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: cbef19aa3a87c2214e867928736868d2d434d86ec1de6e009b074adb13ef6e0c
Instruction ID: 1e43ce2644ea6f63cd23bad9fbe59453255449de5e3d6564f9c703f7b1bb78e3
Opcode Fuzzy Hash: cbef19aa3a87c2214e867928736868d2d434d86ec1de6e009b074adb13ef6e0c
Instruction Fuzzy Hash: 2E718B70204245AFDB21CF18DC44EAABBF9FB89708F54541EF999A7361C770E90ADB12

Function 00ED911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

DragQueryPoint.SHELL32(?,?), ref: 00ED9147

Part of subcall function 00ED7674: ClientToScreen.USER32(?,?), ref: 00ED769A
Part of subcall function 00ED7674: GetWindowRect.USER32(?,?), ref: 00ED7710
Part of subcall function 00ED7674: PtInRect.USER32(?,?,00ED8B89), ref: 00ED7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00ED91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00ED91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00ED91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00ED9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00ED923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00ED9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00ED9277
DragFinish.SHELL32(?), ref: 00ED927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00ED9371

Strings

@GUI_DROPID, xrefs: 00ED929E
@GUI_DRAGID, xrefs: 00ED92E9
@GUI_DRAGFILE, xrefs: 00ED9320

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 5ee885da093f8bf8c6aad13e050561aaf9292866d6ecaf37e836697b27ad8586
Instruction ID: b2c69659bdd4815b81c42efd767a75b4526a7afe87e89616d96b9263d2be3a1f
Opcode Fuzzy Hash: 5ee885da093f8bf8c6aad13e050561aaf9292866d6ecaf37e836697b27ad8586
Instruction Fuzzy Hash: E2617C71108301AFD701DF55EC85DAFBBE8EF88750F50191EF5A5A32A1DB309A49CB52

Function 00EBC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EBC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EBC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EBC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EBC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EBC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EBC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EBC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EBC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EBC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EBC5F0
InternetCloseHandle.WININET(00000000), ref: 00EBC5FB

Strings

, xrefs: 00EBC575

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 5347f39de38aadec8f766a28d7e098bec8ceb16b7426ce7b4ab496769733773b
Instruction ID: ba4c642f51cca2e5588d567d9bb1f1a174c80fd78523b2413672bf95ae157614
Opcode Fuzzy Hash: 5347f39de38aadec8f766a28d7e098bec8ceb16b7426ce7b4ab496769733773b
Instruction Fuzzy Hash: F6516FB0505609BFDB218F61D988AEB7BFCFF08788F20541AF945E6110DB30E948DB60

Function 00ED856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00ED8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00ED85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00ED85AD
CloseHandle.KERNEL32(00000000), ref: 00ED85BA
GlobalLock.KERNEL32(00000000), ref: 00ED85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00ED85D7
GlobalUnlock.KERNEL32(00000000), ref: 00ED85E0
CloseHandle.KERNEL32(00000000), ref: 00ED85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00ED85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00EDFC38,?), ref: 00ED8611
GlobalFree.KERNEL32(00000000), ref: 00ED8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00ED8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00ED8671
DeleteObject.GDI32(00000000), ref: 00ED8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00ED86AF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 670f6d1d2c84e65b3ef72af4b1388a66ec853bf59af8790587e501142431052c
Instruction ID: 2b6c321261d40578cf546b029dcc050abcf2ded06488a28d6b3772cf8db8799a
Opcode Fuzzy Hash: 670f6d1d2c84e65b3ef72af4b1388a66ec853bf59af8790587e501142431052c
Instruction Fuzzy Hash: 4E415B71601205AFDB10CFA6ED48EAE7BBCEF89B55F10415AF815E72A0DB309905CB20

Function 00EB14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00EB1502
VariantCopy.OLEAUT32(?,?), ref: 00EB150B
VariantClear.OLEAUT32(?), ref: 00EB1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EB15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00EB1657
VariantInit.OLEAUT32(?), ref: 00EB1708
SysFreeString.OLEAUT32(?), ref: 00EB178C
VariantClear.OLEAUT32(?), ref: 00EB17D8
VariantClear.OLEAUT32(?), ref: 00EB17E7
VariantInit.OLEAUT32(00000000), ref: 00EB1823

Strings

Default, xrefs: 00EB16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00EB1625

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 65b4e9c26b67ad09cd459b9f9c1e0b602e863019bc0b920b248281447beb6b99
Instruction ID: a85e244d679b2dfd034a641c4ca818b432d4472f6539c324ce85b55ae84dfb65
Opcode Fuzzy Hash: 65b4e9c26b67ad09cd459b9f9c1e0b602e863019bc0b920b248281447beb6b99
Instruction Fuzzy Hash: B9D10132A01215DBCB209F65E8A4BFAB7F5BF45720FA49596F806BB180DB30DC44DB91

Function 00ECB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00ECC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ECB6AE,?,?), ref: 00ECC9B5
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECC9F1
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA68
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ECB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00ECB80A
RegCloseKey.ADVAPI32(?), ref: 00ECB87E
RegCloseKey.ADVAPI32(?), ref: 00ECB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00ECB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00ECB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00ECB922
FreeLibrary.KERNEL32(00000000), ref: 00ECB983
RegCloseKey.ADVAPI32(00000000), ref: 00ECB994

Strings

RegDeleteKeyExW, xrefs: 00ECB8FE
advapi32.dll, xrefs: 00ECB8ED

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 28e69333f2d53bd837c72ace5a45f4882afabce54af65d697c8a0850858645e5
Instruction ID: 0b2459d7dacb68c62ad91c213a1d5bd11992714c61284e67eb92c8903ae73645
Opcode Fuzzy Hash: 28e69333f2d53bd837c72ace5a45f4882afabce54af65d697c8a0850858645e5
Instruction Fuzzy Hash: 3CC1B131205201AFD714DF14D595F2ABBE5FF84308F24955CF49AAB2A2CB36EC46CB91

Function 00EC255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EC25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00EC25E8
CreateCompatibleDC.GDI32(?), ref: 00EC25F4
SelectObject.GDI32(00000000,?), ref: 00EC2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00EC266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00EC26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00EC26D0
SelectObject.GDI32(?,?), ref: 00EC26D8
DeleteObject.GDI32(?), ref: 00EC26E1
DeleteDC.GDI32(?), ref: 00EC26E8
ReleaseDC.USER32(00000000,?), ref: 00EC26F3

Strings

(, xrefs: 00EC268D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 44df3caf12a75b4e2740c1b8339d90f0dd241abe0f29c580d326cd3bd8778b54
Instruction ID: 51d1817580d60614511228ac0848bcc9463cab7432c81a95ad9aa78b7576db1e
Opcode Fuzzy Hash: 44df3caf12a75b4e2740c1b8339d90f0dd241abe0f29c580d326cd3bd8778b54
Instruction Fuzzy Hash: 1561D275D01219AFCB04CFA4D985EAEBBF5FF48310F20852AE955B7250D771A941CFA0

Function 00E7DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E7DAA1

Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D659
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D66B
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D67D
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D68F
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6A1
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6B3
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6C5
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6D7
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6E9
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6FB
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D70D
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D71F
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D731

_free.LIBCMT ref: 00E7DA96

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E7DAB8
_free.LIBCMT ref: 00E7DACD
_free.LIBCMT ref: 00E7DAD8
_free.LIBCMT ref: 00E7DAFA
_free.LIBCMT ref: 00E7DB0D
_free.LIBCMT ref: 00E7DB1B
_free.LIBCMT ref: 00E7DB26
_free.LIBCMT ref: 00E7DB5E
_free.LIBCMT ref: 00E7DB65
_free.LIBCMT ref: 00E7DB82
_free.LIBCMT ref: 00E7DB9A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f71ee1bc201349dab409c5880805b1165cd6324cf71382ad94946cb2a75fb368
Instruction ID: feadde61d19aaccbe3f1dc575a09e4cd389d0d3dfa909180ac1ff50bcb36c6b8
Opcode Fuzzy Hash: f71ee1bc201349dab409c5880805b1165cd6324cf71382ad94946cb2a75fb368
Instruction Fuzzy Hash: 08314A316086059FEB21AA79EC45B5AB7F9FF40314F15E419E64DF7192DB31AC808760

Function 00EA365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EA369C
_wcslen.LIBCMT ref: 00EA36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EA3797
GetClassNameW.USER32(?,?,00000400), ref: 00EA380C
GetDlgCtrlID.USER32(?), ref: 00EA385D
GetWindowRect.USER32(?,?), ref: 00EA3882
GetParent.USER32(?), ref: 00EA38A0
ScreenToClient.USER32(00000000), ref: 00EA38A7
GetClassNameW.USER32(?,?,00000100), ref: 00EA3921
GetWindowTextW.USER32(?,?,00000400), ref: 00EA395D

Strings

%s%u, xrefs: 00EA3734

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: a13f3e276bff7b69fde4edbdbabc7cca029ef7357e0c7205c2dfe6d11b808528
Instruction ID: a586d54842d3cf8df8c5e428e5848ce94dc786d5f8a9064abb33481ad675f98f
Opcode Fuzzy Hash: a13f3e276bff7b69fde4edbdbabc7cca029ef7357e0c7205c2dfe6d11b808528
Instruction Fuzzy Hash: D391D471204606AFD708DF34D885BABB7E8FF49344F105619F999EA190DB30FA45CB91

Function 00EA4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00EA4994
GetWindowTextW.USER32(?,?,00000400), ref: 00EA49DA
_wcslen.LIBCMT ref: 00EA49EB
CharUpperBuffW.USER32(?,00000000), ref: 00EA49F7
_wcsstr.LIBVCRUNTIME ref: 00EA4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00EA4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00EA4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00EA4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00EA4B20
GetWindowRect.USER32(?,?), ref: 00EA4B8B

Strings

ThumbnailClass, xrefs: 00EA4A6F, 00EA4AF1

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: e3fc6295e9d86531c58c6f2f7b4109f9c5b69ffa8080b16b6aa9fc6e41a1f56f
Instruction ID: fcc3b6d302abac2956813e8fa843f1b353f47437fae51995ab024a7468d24fb5
Opcode Fuzzy Hash: e3fc6295e9d86531c58c6f2f7b4109f9c5b69ffa8080b16b6aa9fc6e41a1f56f
Instruction Fuzzy Hash: 8A91C1B10042059FDB04CF14D981BAAB7E8EF89758F04646AFD85AE0D6DB70FD45CBA1

Function 00EABF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00F11990,000000FF,00000000,00000030), ref: 00EABFAC
SetMenuItemInfoW.USER32(00F11990,00000004,00000000,00000030), ref: 00EABFE1
Sleep.KERNEL32(000001F4), ref: 00EABFF3
GetMenuItemCount.USER32(?), ref: 00EAC039
GetMenuItemID.USER32(?,00000000), ref: 00EAC056
GetMenuItemID.USER32(?,-00000001), ref: 00EAC082
GetMenuItemID.USER32(?,?), ref: 00EAC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EAC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EAC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EAC145

Strings

0, xrefs: 00EABF3D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: bfd4fa6f4fd5a9fb300e864c3717f7fcf844cb2fd3975e9cba2514c91a763d40
Instruction ID: bfa4e0ee036e45b507e44f299608b8abd4f9e6166adb2ba99d41ce76b4b1995c
Opcode Fuzzy Hash: bfd4fa6f4fd5a9fb300e864c3717f7fcf844cb2fd3975e9cba2514c91a763d40
Instruction Fuzzy Hash: 7161A370A0124AAFDF11CF64DD88AEE7BB8EB0A348F245155F911BB291C731BD04CB60

Function 00ECCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00ECCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00ECCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00ECCD48

Part of subcall function 00ECCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00ECCCAA
Part of subcall function 00ECCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00ECCCBD
Part of subcall function 00ECCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00ECCCCF
Part of subcall function 00ECCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00ECCD05
Part of subcall function 00ECCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00ECCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00ECCCF3

Strings

RegDeleteKeyExW, xrefs: 00ECCCC9
advapi32.dll, xrefs: 00ECCCB8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 47313d79c2dce7d96feeb668c97ac6978b1055418bb5b8cca99fdbeff1f85811
Instruction ID: 142fb7362b4672e9a8a3cbdb9b361fa93c6b0d7837166fd4f75684416b5c66c0
Opcode Fuzzy Hash: 47313d79c2dce7d96feeb668c97ac6978b1055418bb5b8cca99fdbeff1f85811
Instruction Fuzzy Hash: 6D318671902129BFDB209B51DD88EFFBF7CEF15744F204169E90AF2140D7349A46DAA1

Function 00EB3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EB3D40
_wcslen.LIBCMT ref: 00EB3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EB3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EB3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00EB3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EB3E55
CloseHandle.KERNEL32(00000000), ref: 00EB3E60
CloseHandle.KERNEL32(00000000), ref: 00EB3E6B

Strings

\??\%s, xrefs: 00EB3D5B
:, xrefs: 00EB3D82
\, xrefs: 00EB3D77

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b12a4dadce9e92844c5b2e246ef2f6e50b35ef080561d0ce3b332c5ec0cd93c3
Instruction ID: 98b7c84c688a2347e07fb75a86ab7209d658ecbd7d825e6582c5f8c97725a8dd
Opcode Fuzzy Hash: b12a4dadce9e92844c5b2e246ef2f6e50b35ef080561d0ce3b332c5ec0cd93c3
Instruction Fuzzy Hash: 9631A57194021AABDB209BA1DC49FEF37BDEF88744F5051A6F505F6060E7709744CB24

Function 00EAE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EAE6B4

Part of subcall function 00E5E551: timeGetTime.WINMM(?,?,00EAE6D4), ref: 00E5E555

Sleep.KERNEL32(0000000A), ref: 00EAE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00EAE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EAE727
SetActiveWindow.USER32 ref: 00EAE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EAE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00EAE773
Sleep.KERNEL32(000000FA), ref: 00EAE77E
IsWindow.USER32 ref: 00EAE78A
EndDialog.USER32(00000000), ref: 00EAE79B

Strings

BUTTON, xrefs: 00EAE719

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: d86733227b8e44673365a9e160c79fa6a5c5e50dbd384d7f03bb3930bcffefa0
Instruction ID: 24c0668b0b7fa3e24d34d3aed7421e884e76efb6cabdda9182de1c5ac10258fa
Opcode Fuzzy Hash: d86733227b8e44673365a9e160c79fa6a5c5e50dbd384d7f03bb3930bcffefa0
Instruction Fuzzy Hash: 9B21C670301209AFEB005F71FC89B653BA9F79A788F216426F511B62E1DB71BC14EA25

Function 00EAE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EAEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EAEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EAEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EAEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EAEAA7

Strings

alias PlayMe, xrefs: 00EAEA36
play PlayMe, xrefs: 00EAEAA2
play PlayMe wait, xrefs: 00EAEA91
status PlayMe mode, xrefs: 00EAEA58
open , xrefs: 00EAEA0C
close PlayMe, xrefs: 00EAEA6E, 00EAEA9B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: aa097e1a97246b1e42a448f98b2e373570a60edde66379bb9de129c40cc77e9e
Instruction ID: 25010fb5920d0fcaa49ee53d916b4caf623c0e37ea5100faf51f384cdc67a17e
Opcode Fuzzy Hash: aa097e1a97246b1e42a448f98b2e373570a60edde66379bb9de129c40cc77e9e
Instruction Fuzzy Hash: BC11A331A902597DE720A7A1EC4AEFF6BBCEBD6B04F001429B411F60D1EE705914D5B1

Function 00EA9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EAA012
SetKeyboardState.USER32(?), ref: 00EAA07D
GetAsyncKeyState.USER32(000000A0), ref: 00EAA09D
GetKeyState.USER32(000000A0), ref: 00EAA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00EAA0E3
GetKeyState.USER32(000000A1), ref: 00EAA0F4
GetAsyncKeyState.USER32(00000011), ref: 00EAA120
GetKeyState.USER32(00000011), ref: 00EAA12E
GetAsyncKeyState.USER32(00000012), ref: 00EAA157
GetKeyState.USER32(00000012), ref: 00EAA165
GetAsyncKeyState.USER32(0000005B), ref: 00EAA18E
GetKeyState.USER32(0000005B), ref: 00EAA19C

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 74d6fc864c5ba2fa2cf1480bb6cf0ad5402b0fbe0dcd929425f04fd77ff2acd7
Instruction ID: 841397d0d22a852c5c5aa83102355c6484ade5ff6de317c623d5e018ddea58b1
Opcode Fuzzy Hash: 74d6fc864c5ba2fa2cf1480bb6cf0ad5402b0fbe0dcd929425f04fd77ff2acd7
Instruction Fuzzy Hash: 0951C76460578429FB35DB6084107AABFF49F1B384F0C55AAD5C26F1C3DB54BA4CC762

Function 00EA5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00EA5CE2
GetWindowRect.USER32(00000000,?), ref: 00EA5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00EA5D59
GetDlgItem.USER32(?,00000002), ref: 00EA5D69
GetWindowRect.USER32(00000000,?), ref: 00EA5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00EA5DCF
GetDlgItem.USER32(?,000003E9), ref: 00EA5DDD
GetWindowRect.USER32(00000000,?), ref: 00EA5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00EA5E31
GetDlgItem.USER32(?,000003EA), ref: 00EA5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EA5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00EA5E67

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 62cbb7ad48e20fd52f67604d292e2b6f200e2c2d047a11ffb05f27c2169bb0ff
Instruction ID: 9aa5039e65a423d05c80dd12941d5ceaaa360197c51be19ff4eae2833b1a6380
Opcode Fuzzy Hash: 62cbb7ad48e20fd52f67604d292e2b6f200e2c2d047a11ffb05f27c2169bb0ff
Instruction Fuzzy Hash: 6D512DB1A00606AFDF18CF69DD89AAEBBB5FB49740F209129F515F6290D770AE04CB50

Function 00E58BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E58F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E58BE8,?,00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E58FC5

DestroyWindow.USER32(?), ref: 00E58C81
KillTimer.USER32(00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E58D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00E96973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E58BBA,00000000), ref: 00E969D4
DeleteObject.GDI32(00000000), ref: 00E969E6

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 2ef4d4add92141dbb38d121a37643de85c4b709a1760aea4edbcea70831fff30
Instruction ID: bcb999d4409d5c7823d8e7242d8a5f359d4f96cbb37867e3edd021f8c2a65c13
Opcode Fuzzy Hash: 2ef4d4add92141dbb38d121a37643de85c4b709a1760aea4edbcea70831fff30
Instruction Fuzzy Hash: B661BD30102605DFDF219F25DA48BA9B7F1FB4036AF11A91EE542BA560CB71AC88DF91

Function 00E59838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00E59944: GetWindowLongW.USER32(?,000000EB), ref: 00E59952

GetSysColor.USER32(0000000F), ref: 00E59862

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 20dd3a74a76edf4e24e551a7a2285e988b729d5ee1c6cffbe60c678edabb414b
Instruction ID: 95a5e341e01231a7c0c0d44c2401a66ab57d146b92bc0b00bbafa5b56988d5d6
Opcode Fuzzy Hash: 20dd3a74a76edf4e24e551a7a2285e988b729d5ee1c6cffbe60c678edabb414b
Instruction Fuzzy Hash: 1B41B131105610DFDF245F39AC84BF93BA5EB06376F245A06FAA2AB1E2C7309C49DB10

Function 00E78D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

., xrefs: 00E7903A, 00E78FD0, 00E78FF2

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: 1addaeb056a19e08121e9d66ce074e917d78f1148585f28ca469f42fb299d883
Instruction ID: 01b15b178c08e32abd94f0ceea9bf65856c3ced2908146a2ba4fb7a69d4c1d28
Opcode Fuzzy Hash: 1addaeb056a19e08121e9d66ce074e917d78f1148585f28ca469f42fb299d883
Instruction Fuzzy Hash: 2FC10274A44249AFCB11DFA8E845BEDBBF0AF5A314F189199F518B7392CB308941CB61

Function 00EA96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00E8F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00EA9717
LoadStringW.USER32(00000000,?,00E8F7F8,00000001), ref: 00EA9720

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00E8F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00EA9742
LoadStringW.USER32(00000000,?,00E8F7F8,00000001), ref: 00EA9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00EA9866

Strings

Line %d (File "%s"):, xrefs: 00EA978F
^ ERROR, xrefs: 00EA97FB
Line %d:, xrefs: 00EA97A0
%s (%d) : ==> %s: %s %s, xrefs: 00EA984A
Error: , xrefs: 00EA981D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 17db5233b94d35bf7f801d70fae7e851b2159bdddc8632d7e5605ef02f497b40
Instruction ID: 9d7710d0b9c4e36a0b0cdfe798123ed66401c4f342068e0054a7cc9f7d834afb
Opcode Fuzzy Hash: 17db5233b94d35bf7f801d70fae7e851b2159bdddc8632d7e5605ef02f497b40
Instruction Fuzzy Hash: 98413E72900219AADF04EFE0ED86DEEB7B8AF59340F601065F60576092EB356F48DB61

Function 00EA06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EA07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EA07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EA07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EA0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00EA082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EA0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EA083C

Strings

\IPC$, xrefs: 00EA0784
SOFTWARE\Classes\, xrefs: 00EA070E
\CLSID, xrefs: 00EA0724

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 1fbdc5a30241af7cdc291507b4a278bedba895f3ec3e06162eab853bb19ad72f
Instruction ID: 756f7f10579faed60af4d3b4397abe69d804afd61b8f6567174477b81f365f65
Opcode Fuzzy Hash: 1fbdc5a30241af7cdc291507b4a278bedba895f3ec3e06162eab853bb19ad72f
Instruction Fuzzy Hash: C2411A72C00129AFDF15EBA4EC858EEB7B8FF48754B145125E901B71A1DB30AD04CB90

Function 00ED3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00ED403B
CreateCompatibleDC.GDI32(00000000), ref: 00ED4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00ED4055
SelectObject.GDI32(00000000,00000000), ref: 00ED405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00ED4068
DeleteDC.GDI32(00000000), ref: 00ED4072
GetWindowLongW.USER32(?,000000EC), ref: 00ED407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00ED4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00ED409E

Strings

static, xrefs: 00ED3FD3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: a25bea5ef0a56dc5d7dc397d8664d1f0cc676d07b0255fb51fd5ba5055a9974c
Instruction ID: 02b0707a46d7ebf0a5e741fb9564ef6bec18daa7b91685b1d3492c82b25dbf94
Opcode Fuzzy Hash: a25bea5ef0a56dc5d7dc397d8664d1f0cc676d07b0255fb51fd5ba5055a9974c
Instruction Fuzzy Hash: 3E317C7210221AAFDF219FA5EC09FDA3BA9EF0D764F111212FA14B61E0C735D815DB51

Function 00EC3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EC3C5C
CoInitialize.OLE32(00000000), ref: 00EC3C8A
CoUninitialize.OLE32 ref: 00EC3C94
_wcslen.LIBCMT ref: 00EC3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00EC3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00EC3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00EC3F0E
CoGetObject.OLE32(?,00000000,00EDFB98,?), ref: 00EC3F2D
SetErrorMode.KERNEL32(00000000), ref: 00EC3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EC3FC4
VariantClear.OLEAUT32(?), ref: 00EC3FD8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: ab525d899641167c4a004335f1f49e8d3f7888f7d1d6acba1369d3072b0a5dcf
Instruction ID: 4d04f891bb24805ac19e079fcdb2a08524992640cee4515d3d5d9aa935b6f4b9
Opcode Fuzzy Hash: ab525d899641167c4a004335f1f49e8d3f7888f7d1d6acba1369d3072b0a5dcf
Instruction Fuzzy Hash: 3AC113716083019F9700DF68C984E6BBBE9FF89748F10991DF98AAB251D731ED06CB52

Function 00EB7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EB7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EB7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00EB7BA3
CoCreateInstance.OLE32(00EDFD08,00000000,00000001,00F06E6C,?), ref: 00EB7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EB7C74
CoTaskMemFree.OLE32(?,?), ref: 00EB7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00EB7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EB7D7A
CoTaskMemFree.OLE32(00000000), ref: 00EB7D81
CoTaskMemFree.OLE32(00000000), ref: 00EB7DD6
CoUninitialize.OLE32 ref: 00EB7DDC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 199e2b1eed9d1fc96d89d330ba340532d20ece991902db6f44b102ff7a05a8fd
Instruction ID: 482aebb42f00eca01547aaf749eaf7affefd315bc0630d05aff1776204a3cfd0
Opcode Fuzzy Hash: 199e2b1eed9d1fc96d89d330ba340532d20ece991902db6f44b102ff7a05a8fd
Instruction Fuzzy Hash: E5C15A74A04109AFCB04DFA4D884DAEBBF9FF88344B149499E859EB761C730ED45CB90

Function 00ED541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00ED5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00ED5515
CharNextW.USER32(00000158), ref: 00ED5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00ED5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00ED559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00ED55AC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 928830bf6e96702ab88693edbb37c7fe01a9bfa06dff8f4634e7d946613f39a6
Instruction ID: b36c146dc1d689201712b305ea480b974bdf0ce6650046c1cc994af990970506
Opcode Fuzzy Hash: 928830bf6e96702ab88693edbb37c7fe01a9bfa06dff8f4634e7d946613f39a6
Instruction Fuzzy Hash: 39618D32901609EFDB108F55DC849FE7BB9EB05764F10514BF935BA390D7708A82DB62

Function 00E9FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E9FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00E9FB08
VariantInit.OLEAUT32(?), ref: 00E9FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E9FB3A
VariantCopy.OLEAUT32(?,?), ref: 00E9FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E9FBA1
VariantClear.OLEAUT32(?), ref: 00E9FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00E9FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E9FBCC
VariantClear.OLEAUT32(?), ref: 00E9FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E9FBE9

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b543d504fb3ee7c52ae182ce244d8a6a6701e98c0f48f7accbb5a2bbb7330d96
Instruction ID: 2c6c6a232b428d372e0ad810e7015b19fdb2c38a9cff2e277acd7261e7dc7088
Opcode Fuzzy Hash: b543d504fb3ee7c52ae182ce244d8a6a6701e98c0f48f7accbb5a2bbb7330d96
Instruction Fuzzy Hash: 9D417035A0021A9FCF04DF64D8649EEBBB9FF08344F109069E955F7261DB70A945CF90

Function 00EA9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EA9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00EA9D22
GetKeyState.USER32(000000A0), ref: 00EA9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00EA9D57
GetKeyState.USER32(000000A1), ref: 00EA9D6C
GetAsyncKeyState.USER32(00000011), ref: 00EA9D84
GetKeyState.USER32(00000011), ref: 00EA9D96
GetAsyncKeyState.USER32(00000012), ref: 00EA9DAE
GetKeyState.USER32(00000012), ref: 00EA9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00EA9DD8
GetKeyState.USER32(0000005B), ref: 00EA9DEA

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ae1b53eb5400c017343da7ccf4f5c250e7fcbfe0a838fe4cca55ed9adc397490
Instruction ID: 506d288515bfa5406750d3e90786c7ceadfddb10f8ff159e2c522af694095074
Opcode Fuzzy Hash: ae1b53eb5400c017343da7ccf4f5c250e7fcbfe0a838fe4cca55ed9adc397490
Instruction Fuzzy Hash: 9A41C734504BCA6DFF30866094443A5FEE0AF1B358F08905AD6C67E5C3D7A4B9C8C792

Function 00EC055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EC05BC
inet_addr.WSOCK32(?), ref: 00EC061C
gethostbyname.WSOCK32(?), ref: 00EC0628
IcmpCreateFile.IPHLPAPI ref: 00EC0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EC06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EC06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00EC07B9
WSACleanup.WSOCK32 ref: 00EC07BF

Strings

Ping, xrefs: 00EC0676

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ba42cf70207c582192b4708488a67f2e370c08d9951ddc79a0a31efd4adbc0ae
Instruction ID: a934fd4e5c16a680a1b7de5626ec4c7349ba41d9153cb0317ba1b4f5e9cdfe7b
Opcode Fuzzy Hash: ba42cf70207c582192b4708488a67f2e370c08d9951ddc79a0a31efd4adbc0ae
Instruction Fuzzy Hash: 5591AC34608201DFD724DF15D689F1ABBE0EF48318F1495AEE469AB6A2C731ED46CF81

Function 00EC8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00EC8CF3

Part of subcall function 00EA8E54: _wcslen.LIBCMT ref: 00EA8E77

_wcslen.LIBCMT ref: 00EC8D4E
_wcslen.LIBCMT ref: 00EC8D9C
_wcslen.LIBCMT ref: 00EC8DDC
_wcslen.LIBCMT ref: 00EC8E6E

Strings

cdecl, xrefs: 00EC8D48, 00EC8D4D
winapi, xrefs: 00EC8D96, 00EC8D9B
none, xrefs: 00EC8E65, 00EC8E6A
stdcall, xrefs: 00EC8DD6, 00EC8DDB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 6e74fbf46b8306b90543d4e65272cda32b53a6383d5edb8cc7404a0c7a1fa702
Instruction ID: 3339b709c0a213b7b03b38cf2a9e9dc7cb5fb9e6c833d71dea169b2d9cb2cc65
Opcode Fuzzy Hash: 6e74fbf46b8306b90543d4e65272cda32b53a6383d5edb8cc7404a0c7a1fa702
Instruction Fuzzy Hash: FC518D31A001169ACB14DF68CB50ABEB7E5AF64328B20522DE426F72C5DB32ED42C790

Function 00EC372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EC3774
CoUninitialize.OLE32 ref: 00EC377F
CoCreateInstance.OLE32(?,00000000,00000017,00EDFB78,?), ref: 00EC37D9
IIDFromString.OLE32(?,?), ref: 00EC384C
VariantInit.OLEAUT32(?), ref: 00EC38E4
VariantClear.OLEAUT32(?), ref: 00EC3936

Strings

NULL Pointer assignment, xrefs: 00EC381E
Failed to create object, xrefs: 00EC37E4, 00EC389A
Invalid parameter, xrefs: 00EC3865

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: bdb725454fe020780ea25b7111cae830fc245dc0250e74ec6e96070d4f60c429
Instruction ID: e9d7b0446c6a16912fa1cb3767fc1d4af5852fa2e44968ab67c3ff090f670d5d
Opcode Fuzzy Hash: bdb725454fe020780ea25b7111cae830fc245dc0250e74ec6e96070d4f60c429
Instruction Fuzzy Hash: 7261BD71608301AFD314DF64D988F9ABBE4EF49714F10980EF985AB291C771EE49CB92

Function 00EB3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EB33CF

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EB33F0

Strings

Incorrect parameters to object property !, xrefs: 00EB34AB
Line %d (File "%s"):, xrefs: 00EB3443, 00EB345C
"%s" (%d) : ==> %s:, xrefs: 00EB3522
^ ERROR , xrefs: 00EB349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00EB3504
Error: , xrefs: 00EB34D1

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3c08b6af42e307bab3e9dbb9d0e5cc08b6d7bd5a9952ba0d063397227a261e9f
Instruction ID: d7190169f1d8b9aa70a09650f4b59cfb2f1075d947c484973b5de2579d271f8a
Opcode Fuzzy Hash: 3c08b6af42e307bab3e9dbb9d0e5cc08b6d7bd5a9952ba0d063397227a261e9f
Instruction Fuzzy Hash: B151A272D00209AADF15EBE0ED46EEEB3B9EF08340F205165F51572092EB356F58EB61

Function 00EAB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EAB5FC
_wcslen.LIBCMT ref: 00EAB608
_wcslen.LIBCMT ref: 00EAB64D
_wcslen.LIBCMT ref: 00EAB68C
_wcslen.LIBCMT ref: 00EAB6C7

Strings

EXISTS, xrefs: 00EAB686, 00EAB68B
APPEND, xrefs: 00EAB6C1, 00EAB6C6
REMOVE, xrefs: 00EAB602, 00EAB607
KEYS, xrefs: 00EAB647, 00EAB64C

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e1782025a3b2838c75b98c32b0351370c4c6278639a2e965d73207f51e8916f8
Instruction ID: 97223d1f27c8c40dfa3129a70fad2361a066279bc4cbae0465fd4efbd5ae2c10
Opcode Fuzzy Hash: e1782025a3b2838c75b98c32b0351370c4c6278639a2e965d73207f51e8916f8
Instruction Fuzzy Hash: B241EC32A000279BCB105F7DC8905BE77E5AFEA758B245229E421FF286E731DD81D790

Function 00EB5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EB53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EB5416
GetLastError.KERNEL32 ref: 00EB5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00EB54A7

Strings

READONLY, xrefs: 00EB5452
READY, xrefs: 00EB5460, 00EB5468
UNKNOWN, xrefs: 00EB5444
NOTREADY, xrefs: 00EB544B
INVALID, xrefs: 00EB5459

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 66080c257d91e04a68380c5e0f189d1bf3b751b5830d9ac7343956cdc4b26ece
Instruction ID: 0bbb4fc5ee9c83fd06890bc0d1ba6193be72887f5061cb1e4f5a4afd4c2a329d
Opcode Fuzzy Hash: 66080c257d91e04a68380c5e0f189d1bf3b751b5830d9ac7343956cdc4b26ece
Instruction Fuzzy Hash: 2A31B036A006059FD710DF68D884BEBBBF4EF45309F149066E416EB292DB71DD86CB90

Function 00ED3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00ED3C79
SetMenu.USER32(?,00000000), ref: 00ED3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED3D10
IsMenu.USER32(?), ref: 00ED3D24
CreatePopupMenu.USER32 ref: 00ED3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00ED3D5B
DrawMenuBar.USER32 ref: 00ED3D63

Strings

0, xrefs: 00ED3C54
F, xrefs: 00ED3D4E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 33e65c90e69cbc94b2e18e932df941d9b6fa2b55c1cfce9b20a33b2d6c35626b
Instruction ID: b0f0d3346c1054d9dec3ff9c146eb38ca015f22bfbd7fa22c80814dc6b83bfe3
Opcode Fuzzy Hash: 33e65c90e69cbc94b2e18e932df941d9b6fa2b55c1cfce9b20a33b2d6c35626b
Instruction Fuzzy Hash: AF417E75A0120AEFDF14CF65E844ADA77B6FF49354F24002AF946A7360D730AA15CF51

Function 00EA1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00EA1F64
GetDlgCtrlID.USER32 ref: 00EA1F6F
GetParent.USER32 ref: 00EA1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EA1F8E
GetDlgCtrlID.USER32(?), ref: 00EA1F97
GetParent.USER32(?), ref: 00EA1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EA1FAE

Strings

ListBox, xrefs: 00EA1F21
ComboBox, xrefs: 00EA1EEC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 7bc752ed4032718e28d8c6859ede319dfe6dc4bc86c30083e0c289e9bee3ab73
Instruction ID: 137fd97e28f3185bcab59ddd27516a544e738022563c734532849cdffc5e4a83
Opcode Fuzzy Hash: 7bc752ed4032718e28d8c6859ede319dfe6dc4bc86c30083e0c289e9bee3ab73
Instruction Fuzzy Hash: EC21B374E00114BFCF04AFA0EC859EEBBB4EF0A350F101156B961772D1CB74A908DB61

Function 00EA1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00EA2043
GetDlgCtrlID.USER32 ref: 00EA204E
GetParent.USER32 ref: 00EA206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EA206D
GetDlgCtrlID.USER32(?), ref: 00EA2076
GetParent.USER32(?), ref: 00EA208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EA208D

Strings

ListBox, xrefs: 00EA2002
ComboBox, xrefs: 00EA1FCD

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 9d176de7fd9dc129f9bd4c3873a92b61ca876513223598fc6702c164a9b17570
Instruction ID: 2a842223ff2ec316dd34a29f80e3859cee459068d134f5c1ec4e867f6b9c6ff8
Opcode Fuzzy Hash: 9d176de7fd9dc129f9bd4c3873a92b61ca876513223598fc6702c164a9b17570
Instruction Fuzzy Hash: FF21D775D00214BFCF14AFA4DC85EEEBFB8EF09340F105006B951BB191CA759918DB61

Function 00ED3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00ED3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00ED3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00ED3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00ED3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00ED3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00ED3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00ED3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00ED3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00ED3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00ED3C13

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: f10e226a1cd8e3d05961841f2bc4f072351faf821fbb23e4409249597fc38637
Instruction ID: 9ba20eb11699899047fb5f43ef814fff2d704ede4fe1c31fb97acd1694ad3692
Opcode Fuzzy Hash: f10e226a1cd8e3d05961841f2bc4f072351faf821fbb23e4409249597fc38637
Instruction Fuzzy Hash: 9E615B75A00248AFDB10DFA8CC81EEE77F8EB09714F10419AFA15A7391D770AE46DB61

Function 00EAB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EAB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00EAA1E1,?,00000001), ref: 00EAB165
GetWindowThreadProcessId.USER32(00000000), ref: 00EAB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EAA1E1,?,00000001), ref: 00EAB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EAB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00EAA1E1,?,00000001), ref: 00EAB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EAA1E1,?,00000001), ref: 00EAB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00EAA1E1,?,00000001), ref: 00EAB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00EAA1E1,?,00000001), ref: 00EAB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00EAA1E1,?,00000001), ref: 00EAB21D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 04ad2d3224992846975bc28a5c81e2d6e5859f776144f2f1f35fd4fbd7369c98
Instruction ID: f0822bf3b4f0d7e82295bd6f07cec7db2943c219d6b01ddf250a87c85db891df
Opcode Fuzzy Hash: 04ad2d3224992846975bc28a5c81e2d6e5859f776144f2f1f35fd4fbd7369c98
Instruction Fuzzy Hash: E431C371501208BFDB109F25EC44BAD7BA9FB5A399F219006F911FA1A1D7B4AD40CF70

Function 00E72C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E72C94

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E72CA0
_free.LIBCMT ref: 00E72CAB
_free.LIBCMT ref: 00E72CB6
_free.LIBCMT ref: 00E72CC1
_free.LIBCMT ref: 00E72CCC
_free.LIBCMT ref: 00E72CD7
_free.LIBCMT ref: 00E72CE2
_free.LIBCMT ref: 00E72CED
_free.LIBCMT ref: 00E72CFB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9f19e327e29317bc26eaae652a9fdabb019bb6843338b74cd61ef6d379592a61
Instruction ID: 3a2aae6ce47a1cb69755843b8c97b571b5a9609d963a5aa2637e0a22983ddb2f
Opcode Fuzzy Hash: 9f19e327e29317bc26eaae652a9fdabb019bb6843338b74cd61ef6d379592a61
Instruction Fuzzy Hash: B511A776500108AFCB02EF64D842CDD7BA5FF45350F4594A9FB4C6F222D631EE909B90

Function 00EB7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EB7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB7FC1
GetFileAttributesW.KERNEL32(?), ref: 00EB7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EB8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EB80B0

Strings

*.*, xrefs: 00EB8066

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 468841fdd3a09dd053eb56bebc77cefc51b1e368cd054a1be410d4b99f350514
Instruction ID: dcabc4ec09e831817637197586a52e090e32ba34acf1b43be4ecb994f1897ea5
Opcode Fuzzy Hash: 468841fdd3a09dd053eb56bebc77cefc51b1e368cd054a1be410d4b99f350514
Instruction Fuzzy Hash: 03818F715082019BDB20EF14C844AEBB3E8AFC8354F14685EF8C5E7651EB35ED49CB92

Function 00E45BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E45C7A

Part of subcall function 00E45D0A: GetClientRect.USER32(?,?), ref: 00E45D30
Part of subcall function 00E45D0A: GetWindowRect.USER32(?,?), ref: 00E45D71
Part of subcall function 00E45D0A: ScreenToClient.USER32(?,?), ref: 00E45D99

GetDC.USER32 ref: 00E846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E84708
SelectObject.GDI32(00000000,00000000), ref: 00E84716
SelectObject.GDI32(00000000,00000000), ref: 00E8472B
ReleaseDC.USER32(?,00000000), ref: 00E84733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E847C4

Strings

U, xrefs: 00E84693

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ad9eb968f4d2c3e03df7ca4835b04fcabf3d19d78a7f5266714c1c1ebd5094c9
Instruction ID: 3af10999165d3c4369e10c078ec488f4308bedfb5ad2a99fd9bc548911739a52
Opcode Fuzzy Hash: ad9eb968f4d2c3e03df7ca4835b04fcabf3d19d78a7f5266714c1c1ebd5094c9
Instruction Fuzzy Hash: A571F371400206DFCF21AF64D984AFA7BB1FF4A368F14626AED5D7A1A6D3318841DF50

Function 00EB359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00EB35E4

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

LoadStringW.USER32(00F12390,?,00000FFF,?), ref: 00EB360A

Strings

Line %d (File "%s"):, xrefs: 00EB366B
^ ERROR, xrefs: 00EB36C9
"%s" (%d) : ==> %s:, xrefs: 00EB3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00EB3724
Error: , xrefs: 00EB36EF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f94a393468cf298b46d49bdcb374926ecafdedfd1f8a5570ad2780746c09d554
Instruction ID: 062f3bf06dacd8b8dbb4651591184ac011de47535affbf2acf854f7c22fb30d0
Opcode Fuzzy Hash: f94a393468cf298b46d49bdcb374926ecafdedfd1f8a5570ad2780746c09d554
Instruction Fuzzy Hash: 5F517171D00219BADF15EBA0EC42EEEBBB4EF04304F146125F51572192DB316B99DFA1

Function 00EBC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EBC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EBC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EBC2CA
GetLastError.KERNEL32 ref: 00EBC322
SetEvent.KERNEL32(?), ref: 00EBC336
InternetCloseHandle.WININET(00000000), ref: 00EBC341

Strings

, xrefs: 00EBC2BB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9014e2d29b3639eae70fa05e23f8fbe997609ae97b66f551bc5af3af50d66ebe
Instruction ID: 60db359300a64e65523e288ee972d3946d387bf5b4953c92321809d92e7aae95
Opcode Fuzzy Hash: 9014e2d29b3639eae70fa05e23f8fbe997609ae97b66f551bc5af3af50d66ebe
Instruction Fuzzy Hash: 17319171608608AFD7219F659C84AEB7BFCEB49784B64951EF486F2210DB34DD058B60

Function 00EA989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E83AAF,?,?,Bad directive syntax error,00EDCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EA98BC
LoadStringW.USER32(00000000,?,00E83AAF,?), ref: 00EA98C3

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EA9987

Strings

., xrefs: 00EA996D
%s (%d) : ==> %s.: %s %s, xrefs: 00EA98F1
Line %d (File "%s"):, xrefs: 00EA992D
Line %d:, xrefs: 00EA9912
Error: , xrefs: 00EA9955

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d3ba866c33aec441cb43705e14ce2e790514772ad6e8c0f1ab1bcb98205c5db6
Instruction ID: 2576b4bc77724f5333dc225012532664db0eb139bac5c52413cf6227ebac7a06
Opcode Fuzzy Hash: d3ba866c33aec441cb43705e14ce2e790514772ad6e8c0f1ab1bcb98205c5db6
Instruction Fuzzy Hash: 90216F3290021AABDF15EF90DC0AEEE77B5FF18300F045466F515760A2DA31A628EB51

Function 00EA209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EA20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00EA20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EA214D

Strings

smallicons, xrefs: 00EA2115
list, xrefs: 00EA212F
details, xrefs: 00EA20FB
largeicons, xrefs: 00EA20E1
SHELLDLL_DefView, xrefs: 00EA20CC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 1abe62878f475493a2e02de6b2e0fdfc191c28f6f7b68ae1485886910dec67d7
Instruction ID: 36a9a6f159d9abd93355379aa3cdaef99d2f7e2064395906c36239dd5401f912
Opcode Fuzzy Hash: 1abe62878f475493a2e02de6b2e0fdfc191c28f6f7b68ae1485886910dec67d7
Instruction Fuzzy Hash: 2C11EBB66C570779FA012224AC06DE737DCCB1A754B20211AF704B90D1FAA1B8416915

Function 00E7CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E7CEB7
_free.LIBCMT ref: 00E7CF22
_free.LIBCMT ref: 00E7CF48
_free.LIBCMT ref: 00E7CF71
_free.LIBCMT ref: 00E7CFA9
_free.LIBCMT ref: 00E7CFDA
_free.LIBCMT ref: 00E7D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00E7D09C
_free.LIBCMT ref: 00E7D0B5

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1f89cdd5db8b572cf99f02201c47eaa972848ba6250a8936733bc492809ef6f0
Instruction ID: f3aa07bc893811c36776752ab7f8dbffbb93a8711fb6d340c72557a0443d79de
Opcode Fuzzy Hash: 1f89cdd5db8b572cf99f02201c47eaa972848ba6250a8936733bc492809ef6f0
Instruction Fuzzy Hash: 36616C71A043046FDB29AFB4AC41AAD7BE9EF05314F24E16EFA4CB7281DB319D418750

Function 00ED50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00ED5186
ShowWindow.USER32(?,00000000), ref: 00ED51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00ED51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00ED51D1

Part of subcall function 00ED6FBA: DeleteObject.GDI32(00000000), ref: 00ED6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00ED520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ED521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00ED524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00ED5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00ED5296

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5ee5f043e640fff9802f63288cd71322b959af5090fe02bc63ef3fc48bba9302
Instruction ID: bb6c7b596e60c810477dbd800c52b5380bac80f325720869d2a81d0a01467c1d
Opcode Fuzzy Hash: 5ee5f043e640fff9802f63288cd71322b959af5090fe02bc63ef3fc48bba9302
Instruction Fuzzy Hash: 7F51B032A42A09FEEF209F24CC45BD83BB5EB05365F146013FA24B63E1C371998ADB41

Function 00E58B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00E96890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00E968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00E968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E58874,00000000,00000000,00000000,000000FF,00000000), ref: 00E96901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E9691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E58874,00000000,00000000,00000000,000000FF,00000000), ref: 00E9692D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ebe2255d40106ef29fda36e1941c4b52d65deadb87561bf40e69b4366d6419ba
Instruction ID: fe58c51601bd8a988c1cebdfa159795454045e249f7d7e831ea8421b01a003fc
Opcode Fuzzy Hash: ebe2255d40106ef29fda36e1941c4b52d65deadb87561bf40e69b4366d6419ba
Instruction Fuzzy Hash: BC519774600209EFDF208F25CC51BAA3BB9FB88765F105919F952B72A0DB70E984DB40

Function 00EBC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EBC182
GetLastError.KERNEL32 ref: 00EBC195
SetEvent.KERNEL32(?), ref: 00EBC1A9

Part of subcall function 00EBC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EBC272
Part of subcall function 00EBC253: GetLastError.KERNEL32 ref: 00EBC322
Part of subcall function 00EBC253: SetEvent.KERNEL32(?), ref: 00EBC336
Part of subcall function 00EBC253: InternetCloseHandle.WININET(00000000), ref: 00EBC341

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3959f465c13e919dbf8e7c1975526f0207ae7eadfb636f95af5326793091074b
Instruction ID: e862237edf43b0c3de7e9b45e75631de607145237dcfd871e1dd27a5ea4e5cb0
Opcode Fuzzy Hash: 3959f465c13e919dbf8e7c1975526f0207ae7eadfb636f95af5326793091074b
Instruction Fuzzy Hash: B231AE71205A01EFDB219FB6ED04AA7BBF9FF58344B20541EF956E6620D730E814DBA0

Function 00EA25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA3A57
Part of subcall function 00EA3A3D: GetCurrentThreadId.KERNEL32 ref: 00EA3A5E
Part of subcall function 00EA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EA25B3), ref: 00EA3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EA25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EA25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00EA25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EA25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EA2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00EA2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EA260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EA2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00EA2627

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2bf182d6245bb70e03e6ce09ed133e6146626363897b8b7c47a716743d6f2550
Instruction ID: d26dba73aca0b683351b03458e48d0f21d3b053076758dd1a06d3f1ffeb78840
Opcode Fuzzy Hash: 2bf182d6245bb70e03e6ce09ed133e6146626363897b8b7c47a716743d6f2550
Instruction Fuzzy Hash: E101D830791320BBFB1067699C8AF597F99DB4EB51F201006F314BF0D1C9E16444CA6A

Function 00EA1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00EA1449,?,?,00000000), ref: 00EA180C
HeapAlloc.KERNEL32(00000000,?,00EA1449,?,?,00000000), ref: 00EA1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EA1449,?,?,00000000), ref: 00EA1828
GetCurrentProcess.KERNEL32(?,00000000,?,00EA1449,?,?,00000000), ref: 00EA1830
DuplicateHandle.KERNEL32(00000000,?,00EA1449,?,?,00000000), ref: 00EA1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EA1449,?,?,00000000), ref: 00EA1843
GetCurrentProcess.KERNEL32(00EA1449,00000000,?,00EA1449,?,?,00000000), ref: 00EA184B
DuplicateHandle.KERNEL32(00000000,?,00EA1449,?,?,00000000), ref: 00EA184E
CreateThread.KERNEL32(00000000,00000000,00EA1874,00000000,00000000,00000000), ref: 00EA1868

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2ec8ea440af999fb76cddd360519d0aa03b6c25d66d9180e63d94c5733206564
Instruction ID: 5a47dc6ecb0c89f957f1d9940f7adec5a6182c998889f851c2630b9f5472a180
Opcode Fuzzy Hash: 2ec8ea440af999fb76cddd360519d0aa03b6c25d66d9180e63d94c5733206564
Instruction Fuzzy Hash: B701C275241315BFE710AF75EC4DF573B6CEB89B51F104451FA05EB192C6749804CB20

Function 00E73E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E73F0B
__alldvrm.LIBCMT ref: 00E7410C
__alldvrm.LIBCMT ref: 00E7412E

Strings

}}, xrefs: 00E740CD
}}, xrefs: 00E73E8A
}}, xrefs: 00E73E96, 00E73EF1, 00E73F0A, 00E74090

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: a298016f6ce550ca3a3934011ff869a4d739e6678305edcb31cd6bcd499797a1
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 0EA179B1E003869FDB25DF28C8917AEBBE4EF61354F1491ADE59DAB2C1C3348981C751

Function 00ECA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00EAD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00EAD501
Part of subcall function 00EAD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00EAD50F
Part of subcall function 00EAD4DC: CloseHandle.KERNELBASE(00000000), ref: 00EAD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ECA16D
GetLastError.KERNEL32 ref: 00ECA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ECA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00ECA268
GetLastError.KERNEL32(00000000), ref: 00ECA273
CloseHandle.KERNEL32(00000000), ref: 00ECA2C4

Strings

SeDebugPrivilege, xrefs: 00ECA18F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 6e425605ac2c4b39789c0194e1713e104a5e544c233fea4f831f568e0f08d8d5
Instruction ID: 876f00ea9c28dfab003b570519960227b1103a7c5e199e1af2a7d974ad0b3f20
Opcode Fuzzy Hash: 6e425605ac2c4b39789c0194e1713e104a5e544c233fea4f831f568e0f08d8d5
Instruction Fuzzy Hash: E261CE702092529FD724DF14D594F16BBE1AF4430CF18949CE466ABBA3C776EC4ACB82

Function 00ED3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00ED3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00ED393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00ED3954
_wcslen.LIBCMT ref: 00ED3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00ED39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00ED39F4

Strings

SysListView32, xrefs: 00ED38F7

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a5b90bddc5862a55a98c2f60c341889b455a1e93a94775dccbce30ad43ae9b4b
Instruction ID: cbda60ec0352c8dd25d9804208f83e348b2564014b7e3bd19de0612e0f19ebc8
Opcode Fuzzy Hash: a5b90bddc5862a55a98c2f60c341889b455a1e93a94775dccbce30ad43ae9b4b
Instruction Fuzzy Hash: 4D41FC31A00209ABEB219F64CC49BEA7BA9EF08354F101127F958F72C1D7B0DA81CB91

Function 00EABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EABCFD
IsMenu.USER32(00000000), ref: 00EABD1D
CreatePopupMenu.USER32 ref: 00EABD53
GetMenuItemCount.USER32(01646678), ref: 00EABDA4
InsertMenuItemW.USER32(01646678,?,00000001,00000030), ref: 00EABDCC

Strings

0, xrefs: 00EABCA8
2, xrefs: 00EABD37

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: b31b71c0d0b5035d76bdb83c510a7460d8dabd311d0ae8b5ad77363a1b0ba3b6
Instruction ID: dfb823da3c7afee7ccb9887285d651b024b7f33aa5556310720427865b4d91a8
Opcode Fuzzy Hash: b31b71c0d0b5035d76bdb83c510a7460d8dabd311d0ae8b5ad77363a1b0ba3b6
Instruction Fuzzy Hash: 21518D70A002059BDF10CFB9D884BAEBBF4AF4A358F24525AE411FF292D770A945CB61

Function 00E62D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E62D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00E62D53
_ValidateLocalCookies.LIBCMT ref: 00E62DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00E62E0C
_ValidateLocalCookies.LIBCMT ref: 00E62E61

Strings

csm, xrefs: 00E62DF6
&H, xrefs: 00E62DFE, 00E62E07, 00E62E18

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: 66d71331d893b4d8ee2ba6df2acec8571e79f0ea7eb553902d293bc957e5a528
Instruction ID: 1ac4f54686859ad85031b06dc361493fa17f75f03032c07ef95acec7e4abd6b5
Opcode Fuzzy Hash: 66d71331d893b4d8ee2ba6df2acec8571e79f0ea7eb553902d293bc957e5a528
Instruction Fuzzy Hash: D941F634A406099BCF10DF68E844ADEBBF4BF443A8F149159E914BB392D731DA05CBD0

Function 00EAC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00EAC913

Strings

blank, xrefs: 00EAC895
stop, xrefs: 00EAC8E4
question, xrefs: 00EAC8CC
warning, xrefs: 00EAC8FC
info, xrefs: 00EAC8B4

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 094124fdfe9f04892ff9cba257cda3e7bb0aa426aa9f818343b378e59b5fb3ca
Instruction ID: 4ecd18623a356dad3e42bb1eddddadae5736f8ae779830baa4d2839d826d3ead
Opcode Fuzzy Hash: 094124fdfe9f04892ff9cba257cda3e7bb0aa426aa9f818343b378e59b5fb3ca
Instruction Fuzzy Hash: 70112B35689307BEE7055B54AC82CEB67DCDF5A358B30102FF504FA2C2EBA4BD006265

Function 00EADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EADE42
gethostname.WSOCK32(?,00000100), ref: 00EADE5C
gethostbyname.WSOCK32(?), ref: 00EADE69
inet_ntoa.WSOCK32(?), ref: 00EADEAB
_strcat.LIBCMT ref: 00EADEB9
WSACleanup.WSOCK32 ref: 00EADEDE

Strings

0.0.0.0, xrefs: 00EADE87

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: c8528f9ceca2b0f22244e9f1d8665e20cf0dbda3b16d579c423b8d21623db6b8
Instruction ID: b0edc4c278910f00f7b90629c239d76afbdd620ba958834b0aee5513be906a68
Opcode Fuzzy Hash: c8528f9ceca2b0f22244e9f1d8665e20cf0dbda3b16d579c423b8d21623db6b8
Instruction Fuzzy Hash: 53113A71948115AFCB246B30AC0AEDE77FCDF19364F10116AF406BA091EF70AA81DA50

Function 00ED9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

GetSystemMetrics.USER32(0000000F), ref: 00ED9FC7
GetSystemMetrics.USER32(0000000F), ref: 00ED9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00EDA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EDA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EDA263
ShowWindow.USER32(00000003,00000000), ref: 00EDA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00EDA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00EDA2CA

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 67bb4ecc37ba9cf984a48f366bb9817f8b6853aa02f49b2b659bd612449e5f20
Instruction ID: 8970cf87e0a430130ec0c9fe8a6d9d77d5dabd283688ee1e627c8d51604ffc35
Opcode Fuzzy Hash: 67bb4ecc37ba9cf984a48f366bb9817f8b6853aa02f49b2b659bd612449e5f20
Instruction Fuzzy Hash: 82B1B731600219AFDF14CF69C9857AE3BB2FF44705F08907AEC49AB3A5D731AA41CB51

Function 00EAED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00EAED2A
_wcslen.LIBCMT ref: 00EAED3B
_wcslen.LIBCMT ref: 00EAED79
_wcslen.LIBCMT ref: 00EAEDAF
_wcslen.LIBCMT ref: 00EAEDDF
_wcslen.LIBCMT ref: 00EAEDEF
_wcslen.LIBCMT ref: 00EAEE2B
_wcslen.LIBCMT ref: 00EAEE5A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 1ee220d49d26e52248a42dcb4c3b732b82efe94fddd8a11d0054d4f20bf9d5f1
Instruction ID: 9643025c03bf2f63c07f79b96ff80355545f462ffe9133af136c9f9b9d56b249
Opcode Fuzzy Hash: 1ee220d49d26e52248a42dcb4c3b732b82efe94fddd8a11d0054d4f20bf9d5f1
Instruction Fuzzy Hash: F041BE65C5021876DB11EBB49C8A9CFB3ECAF46340F50A462E518F3262FB34E245C3A6

Function 00E5F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E9682C,00000004,00000000,00000000), ref: 00E5F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00E9682C,00000004,00000000,00000000), ref: 00E9F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E9682C,00000004,00000000,00000000), ref: 00E9F454

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9c889b5849421cc5a78b8accd82a1dda02d3225aa3e1c93419c8650b14f49bb6
Instruction ID: 17a4e69865342fde6c06e6f83e885f2161124e0fc2c15a93f66fa64921cd8021
Opcode Fuzzy Hash: 9c889b5849421cc5a78b8accd82a1dda02d3225aa3e1c93419c8650b14f49bb6
Instruction Fuzzy Hash: E6414031504A80BECB348B79D9887AA7BD1BBD635AF14783DE857B2560C671D488C711

Function 00ED2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00ED2D1B
GetDC.USER32(00000000), ref: 00ED2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ED2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00ED2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00ED2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00ED2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00ED5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00ED2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00ED2DE1

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9ac7d97e943a787bd0c943834d328580d70de4825014d392990d932fa325d548
Instruction ID: 6bcfc957c7d86159057803afc26c3bd19136da4c2ebb8367243c2336d6e2f487
Opcode Fuzzy Hash: 9ac7d97e943a787bd0c943834d328580d70de4825014d392990d932fa325d548
Instruction Fuzzy Hash: BC31AE72202214BFEB118F51DC8AFEB3FADEF19755F144056FE08AA291C6759C41CBA1

Function 00EA5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EA5637
_memcmp.LIBVCRUNTIME ref: 00EA5659
_memcmp.LIBVCRUNTIME ref: 00EA5671
_memcmp.LIBVCRUNTIME ref: 00EA5684
_memcmp.LIBVCRUNTIME ref: 00EA569E
_memcmp.LIBVCRUNTIME ref: 00EA56B1
_memcmp.LIBVCRUNTIME ref: 00EA56C9
_memcmp.LIBVCRUNTIME ref: 00EA56E4

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 87a98ab4f77f0d3fec6f0d8f83887b5ec44708487b3e162d553a5faf3d89ff34
Instruction ID: fda035ffbc755e9b7ae9aabebd4edf0ed6b81a3062c308f632feb057ea846190
Opcode Fuzzy Hash: 87a98ab4f77f0d3fec6f0d8f83887b5ec44708487b3e162d553a5faf3d89ff34
Instruction Fuzzy Hash: D121DA636C0B05B7D21595105E82FFA739CEF6A388F456022FD067E741F720FD1181A5

Function 00EC4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00EC502E, 00EC5383
Not an Object type, xrefs: 00EC5007

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: fba874f717cb0d16cb5b44a56b4d4088ddf53eb22d647b5e4c867db81bd30de1
Instruction ID: 1e86bbe561bc673312c02fc4999c90f1698d9087d93bf410a067c62f713dbf0d
Opcode Fuzzy Hash: fba874f717cb0d16cb5b44a56b4d4088ddf53eb22d647b5e4c867db81bd30de1
Instruction Fuzzy Hash: FFD1AE72A0060A9FDF14CF98C981FAEB7B5BF48344F14906DE915BB281D772E986CB50

Function 00E81522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00E815CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00E81651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E816E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00E816FB

Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E81777
__freea.LIBCMT ref: 00E817A2
__freea.LIBCMT ref: 00E817AE

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6f086f8591e48f68ac799a6befb344f564a33e25fc80df3a074a84fa0b24a662
Instruction ID: 11a2eb21246f0f0dc470b831a69aeae5bbb9861f86c31c94da705990384db0db
Opcode Fuzzy Hash: 6f086f8591e48f68ac799a6befb344f564a33e25fc80df3a074a84fa0b24a662
Instruction Fuzzy Hash: 4991B371E002169ADB20AF74D841AEE7BF9EF49354F18669AE80DF7181D735CC42CB60

Function 00EC4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EC4648
VariantInit.OLEAUT32(?), ref: 00EC4749
VariantClear.OLEAUT32(?), ref: 00EC4753
VariantClear.OLEAUT32(?), ref: 00EC47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00EC45D8, 00EC4706, 00EC47BE
Incorrect Object type in FOR..IN loop, xrefs: 00EC472C

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 6b3d0e0828c9806c40bf1b45ea7ed8474100a66a7585e1b0346714f89d87a189
Instruction ID: 6f7d13fc56f42cabc31211c69096c2a5cf8e90b28dcb1bc5e00a930786e8469e
Opcode Fuzzy Hash: 6b3d0e0828c9806c40bf1b45ea7ed8474100a66a7585e1b0346714f89d87a189
Instruction Fuzzy Hash: 1091ADB0A00219ABDF20CFA4C954FAEBBB8EF46714F10955EF505BB2C0D7719946CBA0

Function 00EB1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00EB125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EB1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00EB12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EB12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EB135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EB13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EB1430

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b8ac6cc66389ba997798a86999b0885c221b0b2a43c6ed857eb3911350a25d8f
Instruction ID: f32a3651642e62ab668c47e07d71f204be6c88a9943d20c0f46bfeac11c5ac5b
Opcode Fuzzy Hash: b8ac6cc66389ba997798a86999b0885c221b0b2a43c6ed857eb3911350a25d8f
Instruction Fuzzy Hash: F191DD71A00219AFDB009FA8D8A4BEFB7F5FF45325F1050A9E910FB2A1D774A941CB90

Function 00E5948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a3dc267ffcffdee285cf28971c9187ac05f76f1311874feb813d93315e5de164
Instruction ID: 0e453b04db58b4d5fd563277b4b9d1e65502f9a7c9c2efbed517fef6e045b4ca
Opcode Fuzzy Hash: a3dc267ffcffdee285cf28971c9187ac05f76f1311874feb813d93315e5de164
Instruction Fuzzy Hash: 1A914871D00219EFCB10CFA9CC84AEEBBB8FF48320F149555E915B7252D378A955CB60

Function 00EC3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EC396B
CharUpperBuffW.USER32(?,?), ref: 00EC3A7A
_wcslen.LIBCMT ref: 00EC3A8A
VariantClear.OLEAUT32(?), ref: 00EC3C1F

Part of subcall function 00EB0CDF: VariantInit.OLEAUT32(00000000), ref: 00EB0D1F
Part of subcall function 00EB0CDF: VariantCopy.OLEAUT32(?,?), ref: 00EB0D28
Part of subcall function 00EB0CDF: VariantClear.OLEAUT32(?), ref: 00EB0D34

Strings

Incorrect Parameter format, xrefs: 00EC39A6, 00EC3BA1
AUTOIT.ERROR, xrefs: 00EC3A80, 00EC3A85

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 46173c3f5c924353c4c125bc43a581e26bc242be226a33525d385cc9a129431c
Instruction ID: cc4406ed9777d18d69dcd13f6d30c68630b009058372202029bcfe71564db454
Opcode Fuzzy Hash: 46173c3f5c924353c4c125bc43a581e26bc242be226a33525d385cc9a129431c
Instruction Fuzzy Hash: 21915A75A083019FC704EF24C580A6AB7E5FF89314F14996DF889AB351DB31EE46CB92

Function 00EC4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00EA000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?,?,00EA035E), ref: 00EA002B
Part of subcall function 00EA000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?), ref: 00EA0046
Part of subcall function 00EA000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?), ref: 00EA0054
Part of subcall function 00EA000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?), ref: 00EA0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00EC4C51
_wcslen.LIBCMT ref: 00EC4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00EC4DCF
CoTaskMemFree.OLE32(?), ref: 00EC4DDA

Strings

NULL Pointer assignment, xrefs: 00EC4E23, 00EC4E52

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b42a7e126d594fe774e103495b45504c0fccda28c9ae7a06134cd3d9b5fb171a
Instruction ID: 7efb8c24e2c97cb7b04f166fdae6ef54f90bdab476d32a45d15506d1e6acc57f
Opcode Fuzzy Hash: b42a7e126d594fe774e103495b45504c0fccda28c9ae7a06134cd3d9b5fb171a
Instruction Fuzzy Hash: DD9127B1D002199FDF14DFA4D890EEEBBB8BF08314F10516AE915BB291DB315A45CF60

Function 00ED20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00ED2183
GetMenuItemCount.USER32(00000000), ref: 00ED21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00ED21DD
_wcslen.LIBCMT ref: 00ED2213
GetMenuItemID.USER32(?,?), ref: 00ED224D
GetSubMenu.USER32(?,?), ref: 00ED225B

Part of subcall function 00EA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA3A57
Part of subcall function 00EA3A3D: GetCurrentThreadId.KERNEL32 ref: 00EA3A5E
Part of subcall function 00EA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EA25B3), ref: 00EA3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00ED22E3

Part of subcall function 00EAE97B: Sleep.KERNEL32 ref: 00EAE9F3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 44639a64eb825a3193250d371e83bf24853cc47858b11e0ee4cfa5a89bb0cfa8
Instruction ID: 0de30793a11257d6f62fff956cdd1e6efde87e5d80f42686aa8eac7ddb070936
Opcode Fuzzy Hash: 44639a64eb825a3193250d371e83bf24853cc47858b11e0ee4cfa5a89bb0cfa8
Instruction Fuzzy Hash: A8719D35A00205AFCB10DF64C841AAEB7F5EF98310F14945EEA26FB351DB35EE428B90

Function 00ED7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016463A8), ref: 00ED7F37
IsWindowEnabled.USER32(016463A8), ref: 00ED7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00ED801E
SendMessageW.USER32(016463A8,000000B0,?,?), ref: 00ED8051
IsDlgButtonChecked.USER32(?,?), ref: 00ED8089
GetWindowLongW.USER32(016463A8,000000EC), ref: 00ED80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00ED80C3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3d8a39e4fd668ed8973ca399504cf480b6e3cd377f430eef1687e145196c8a68
Instruction ID: 98cf63a531aeb161e3d019394570066d928e9997c117445b177eed20927dfdf8
Opcode Fuzzy Hash: 3d8a39e4fd668ed8973ca399504cf480b6e3cd377f430eef1687e145196c8a68
Instruction Fuzzy Hash: B571BF34608204AFEB319F54C984FEABBB5FF09344F14505BE995B73A1DB31A84ADB10

Function 00EAAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00EAAEF9
GetKeyboardState.USER32(?), ref: 00EAAF0E
SetKeyboardState.USER32(?), ref: 00EAAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00EAAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00EAAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00EAAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EAB020

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d3742b4b2d6e4adced2cae38e52fbe23e7872cc49037d31ba46e06b0cbc4ba06
Instruction ID: 64a21f1a8dd9cef2de80d49d4351d7782b9e8f8bbdde54ad4533e17f07b9ce19
Opcode Fuzzy Hash: d3742b4b2d6e4adced2cae38e52fbe23e7872cc49037d31ba46e06b0cbc4ba06
Instruction Fuzzy Hash: 2851A1A06047D57DFB364234CC45BBABEE95B0B308F0C959AE1E9694D3C398B8C8D761

Function 00EAACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00EAAD19
GetKeyboardState.USER32(?), ref: 00EAAD2E
SetKeyboardState.USER32(?), ref: 00EAAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EAADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EAADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EAAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EAAE38

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cd6c720ed9dbd346596bca661c55961ea46415057befb20c3c27c122e0934c1f
Instruction ID: 0bb846b9dcbcafe2b78f4a2e6e01b234125d7dd69c170b7bbffdad4ee7b587c0
Opcode Fuzzy Hash: cd6c720ed9dbd346596bca661c55961ea46415057befb20c3c27c122e0934c1f
Instruction Fuzzy Hash: C651B1A15047D53DFB3782248C55B7ABEE85B4B308F0CA499E1D56E8C2D394FC88E762

Function 00E7542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00E83CD6,?,?,?,?,?,?,?,?,00E75BA3,?,?,00E83CD6,?,?), ref: 00E75470
__fassign.LIBCMT ref: 00E754EB
__fassign.LIBCMT ref: 00E75506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00E83CD6,00000005,00000000,00000000), ref: 00E7552C
WriteFile.KERNEL32(?,00E83CD6,00000000,00E75BA3,00000000,?,?,?,?,?,?,?,?,?,00E75BA3,?), ref: 00E7554B
WriteFile.KERNEL32(?,?,00000001,00E75BA3,00000000,?,?,?,?,?,?,?,?,?,00E75BA3,?), ref: 00E75584

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b1d2584cd52ba57a4b2f81552fd9a4ddb0389c3d9d7cd78d477568355f725ea2
Instruction ID: 08ea1f466b4951d206d57d74364a43a5c3d74fc5251e306170f658535b1c9d7d
Opcode Fuzzy Hash: b1d2584cd52ba57a4b2f81552fd9a4ddb0389c3d9d7cd78d477568355f725ea2
Instruction Fuzzy Hash: A951C371A006499FDB10CFA8D845AEEBBF9EF09300F14915AF959F7291E7709A41CF60

Function 00EC10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EC307A
Part of subcall function 00EC304E: _wcslen.LIBCMT ref: 00EC309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00EC1112
WSAGetLastError.WSOCK32 ref: 00EC1121
WSAGetLastError.WSOCK32 ref: 00EC11C9
closesocket.WSOCK32(00000000), ref: 00EC11F9

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b3d58cc91b204d878eac776423f070a1d24fd37a0032fef4d6c23c93e09f3784
Instruction ID: c6ee3c473a1b174a36258815ca5a08abbf64193c667d71cf6c4ed9a0d421e5e8
Opcode Fuzzy Hash: b3d58cc91b204d878eac776423f070a1d24fd37a0032fef4d6c23c93e09f3784
Instruction Fuzzy Hash: 31412631201205AFDB109F24D944FA9B7E9EF42368F188099FD15BB282C779ED46CBE0

Function 00EACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EACF22,?), ref: 00EADDFD

Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EACF22,?), ref: 00EADE16

lstrcmpiW.KERNEL32(?,?), ref: 00EACF45
MoveFileW.KERNEL32(?,?), ref: 00EACF7F
_wcslen.LIBCMT ref: 00EAD005
_wcslen.LIBCMT ref: 00EAD01B
SHFileOperationW.SHELL32(?), ref: 00EAD061

Strings

\*.*, xrefs: 00EACFF3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 43f4a9803427c3664b6eb5cfb1c8234cdb01baa90abffc9ba1204462a19c1b0d
Instruction ID: bdb834b0035608c79aa57c4a8aff04b30b679d09253491f862cd5c4f839c9b27
Opcode Fuzzy Hash: 43f4a9803427c3664b6eb5cfb1c8234cdb01baa90abffc9ba1204462a19c1b0d
Instruction Fuzzy Hash: 854163759452199EDF12EBA4DD81ADEB7F9AF0D380F1010E6E505FF142EA34BA48CB50

Function 00ED2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00ED2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00ED2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00ED2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00ED2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00ED2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00ED2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ED2F0B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: c1e0075132796b7b62d1594597beceb35ed3730008d737b31ed8f1b40e8913f8
Instruction ID: cffaae7062b80b5f2377fe1877905cc5de853d2bb572238bc47f7e64c5d4331e
Opcode Fuzzy Hash: c1e0075132796b7b62d1594597beceb35ed3730008d737b31ed8f1b40e8913f8
Instruction Fuzzy Hash: F53137306451459FEB22CF19DC84FA537E0FBAAB14F1551AAFA10AB2B1CB71E841EB01

Function 00EA7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA778F
SysAllocString.OLEAUT32(00000000), ref: 00EA7792
SysAllocString.OLEAUT32(?), ref: 00EA77B0
SysFreeString.OLEAUT32(?), ref: 00EA77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00EA77DE
SysAllocString.OLEAUT32(?), ref: 00EA77EC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 53afbf3a6a943085365c0d7d5819cf4e00814cff7567caebb5cc7b6b81ae7576
Instruction ID: 5381c3f32a7bfa77aa367c67d9c6589896e3728b2c8d3e7874a64ec91569e37d
Opcode Fuzzy Hash: 53afbf3a6a943085365c0d7d5819cf4e00814cff7567caebb5cc7b6b81ae7576
Instruction Fuzzy Hash: BD21DE3660921AAFDB00DFA8DC88CFB33ECEB0A3A47108026FA54EB150D670EC45C760

Function 00EA77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA7868
SysAllocString.OLEAUT32(00000000), ref: 00EA786B
SysAllocString.OLEAUT32 ref: 00EA788C
SysFreeString.OLEAUT32 ref: 00EA7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00EA78AF
SysAllocString.OLEAUT32(?), ref: 00EA78BD

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7e6294a0204edf76700f81f81c88ce966ed22b3cc14788a2a131463bc7f0bd4e
Instruction ID: 8dee8932953ff464b1bf56c7147d45b52a0cab070113167c2947fcc016d2c439
Opcode Fuzzy Hash: 7e6294a0204edf76700f81f81c88ce966ed22b3cc14788a2a131463bc7f0bd4e
Instruction Fuzzy Hash: 8721F131608215AFDB14DFA8DC88CAA77ECEF0E3607108125F910EF2A0DA78EC44CB64

Function 00EB04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00EB04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EB052E

Strings

nul, xrefs: 00EB0567

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 96d951cc77f723bc107fab92b26bf372136fa59dcf3d58d31a082d27d7671191
Instruction ID: 1f4911eb983a6fd0b481e5ae044077419c55709775b4006c441bf68bfe2921e0
Opcode Fuzzy Hash: 96d951cc77f723bc107fab92b26bf372136fa59dcf3d58d31a082d27d7671191
Instruction Fuzzy Hash: 24215CB5501306AFDB309F69DC44ADB77E4AF44768F204A19E9A1F62E0D770A944CF20

Function 00EB05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EB05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EB0601

Strings

nul, xrefs: 00EB0639

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 34177229644d88f0d70f42d21cdbedfa568b42b61661ab9fa3876513ad2e1e94
Instruction ID: a39fd1d75259ba30cd029af6fe82df90c8fd69112c3ef0c30b0f284ffb6163f3
Opcode Fuzzy Hash: 34177229644d88f0d70f42d21cdbedfa568b42b61661ab9fa3876513ad2e1e94
Instruction Fuzzy Hash: B2217F755003069FDB209F699C04ADB77E4BF95764F201B19E9A1F72E4D770A860CB10

Function 00ED40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E4600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E4604C
Part of subcall function 00E4600E: GetStockObject.GDI32(00000011), ref: 00E46060
Part of subcall function 00E4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00ED4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00ED411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00ED412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00ED4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00ED4145

Strings

Msctls_Progress32, xrefs: 00ED40E3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a5bd4d371bd1cf06cb0e63985d166ef12192f33427c05433a47883f97ac5021f
Instruction ID: 2a944d1e6c4f87751a5925e6be0c4e2622ce37e05e1d9d857edb217d5ed187cf
Opcode Fuzzy Hash: a5bd4d371bd1cf06cb0e63985d166ef12192f33427c05433a47883f97ac5021f
Instruction Fuzzy Hash: F31193B2150219BFEF119E64CC85EE77FADEF18798F015111B718A2190C672DC21DBA4

Function 00E7D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E7D7A3: _free.LIBCMT ref: 00E7D7CC

_free.LIBCMT ref: 00E7D82D

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E7D838
_free.LIBCMT ref: 00E7D843
_free.LIBCMT ref: 00E7D897
_free.LIBCMT ref: 00E7D8A2
_free.LIBCMT ref: 00E7D8AD
_free.LIBCMT ref: 00E7D8B8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 011f3f40f8d44a1f048a904bc20134d84f79604b1242c55b2019989e3726f615
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B7115E71544B04AAD625FFB4CC47FCBBBECAF80700F44982AF39DB6092DA65B5458760

Function 00EADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EADA74
LoadStringW.USER32(00000000), ref: 00EADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EADA91
LoadStringW.USER32(00000000), ref: 00EADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00EADAB9

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: d4d4676b85d8c7708552735d5f5db3d1754e49e1ec5e28122f05acd26995d2f9
Instruction ID: 86aa0f2e761d5b46082847452e6cccf3916435cb00e85ef6bdce3dc257fdbf9a
Opcode Fuzzy Hash: d4d4676b85d8c7708552735d5f5db3d1754e49e1ec5e28122f05acd26995d2f9
Instruction Fuzzy Hash: 690162F65002197FE7109BA0AD89EEB776CEB09741F500592B716F6081EA74AE888F74

Function 00EB096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0163E058,0163E058), ref: 00EB097B
EnterCriticalSection.KERNEL32(0163E038,00000000), ref: 00EB098D
TerminateThread.KERNEL32(?,000001F6), ref: 00EB099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00EB09A9
CloseHandle.KERNEL32(?), ref: 00EB09B8
InterlockedExchange.KERNEL32(0163E058,000001F6), ref: 00EB09C8
LeaveCriticalSection.KERNEL32(0163E038), ref: 00EB09CF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9218f37f30d8eb2c7ef6a692d95781085852642f6b3f28d6afffd525848183be
Instruction ID: 44d6566f0f21e971f22311cdcd547c165a7fb50712dd13f3a6515fb0fca00771
Opcode Fuzzy Hash: 9218f37f30d8eb2c7ef6a692d95781085852642f6b3f28d6afffd525848183be
Instruction Fuzzy Hash: FEF01D31483913AFD7515B95EE88BD67B35FF41742F502116F101B08B1C774A469CF90

Function 00E45D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E45D30
GetWindowRect.USER32(?,?), ref: 00E45D71
ScreenToClient.USER32(?,?), ref: 00E45D99
GetClientRect.USER32(?,?), ref: 00E45ED7
GetWindowRect.USER32(?,?), ref: 00E45EF8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: dd4a675fb4208d651e64e3bd88e8911cfdf4970acac869bda8ef469ce336cb42
Instruction ID: 983f76d339ba2abed68a21bdb3157202d52da9b479051533ea5737851a06988a
Opcode Fuzzy Hash: dd4a675fb4208d651e64e3bd88e8911cfdf4970acac869bda8ef469ce336cb42
Instruction Fuzzy Hash: 6BB17975A0074ADFDB14DFA9D4807EAB7F1FF48314F14A41AE8A9E7290DB34AA41CB50

Function 00E701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00E700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E700D6
__allrem.LIBCMT ref: 00E700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E7010B
__allrem.LIBCMT ref: 00E70122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E70140

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: f17930a8099cba36ff5f834a769c489e17097516d9d3bf99dea1af598bdd60a9
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 8A812871B00706DBE724AF68DC41B6B73E9AF41368F24A53EF559F6281E7B0D9008B50

Function 00EC1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00EC101C,00000000,?,?,00000000), ref: 00EC3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00EC1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EC1DE1
WSAGetLastError.WSOCK32 ref: 00EC1DF2
inet_ntoa.WSOCK32(?), ref: 00EC1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00EC1EDB
_strlen.LIBCMT ref: 00EC1F35

Part of subcall function 00EA39E8: _strlen.LIBCMT ref: 00EA39F2

Part of subcall function 00E46D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00E5CF58,?,?,?), ref: 00E46DBA
Part of subcall function 00E46D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00E5CF58,?,?,?), ref: 00E46DED

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 9a1f0c80d0045f18efb7a28e43d7085965f11f8a705b7de630c73d48b5df9bbc
Instruction ID: f4105e690a833c493e9aafd222be081fa7e9d8b48ed26a0404cd611190a861f1
Opcode Fuzzy Hash: 9a1f0c80d0045f18efb7a28e43d7085965f11f8a705b7de630c73d48b5df9bbc
Instruction Fuzzy Hash: 93A1D331604340AFC314DF24D885F6AB7E5AF85318F54A98CF4566B2A3CB32ED46CB92

Function 00E761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E682D9,00E682D9,?,?,?,00E7644F,00000001,00000001,?), ref: 00E76258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E7644F,00000001,00000001,?,?,?,?), ref: 00E762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E763D8
__freea.LIBCMT ref: 00E763E5

Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852

__freea.LIBCMT ref: 00E763EE
__freea.LIBCMT ref: 00E76413

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 18246aebe001c43b35eeaa7687d007a59f999b4a7f398e88f72ee94894b76a00
Instruction ID: 90ae7889a8b5f0f0e2f1ec6fbc365116a29fa2849fc69243361c20133a57b950
Opcode Fuzzy Hash: 18246aebe001c43b35eeaa7687d007a59f999b4a7f398e88f72ee94894b76a00
Instruction Fuzzy Hash: A8510272600616BFEB258F64DC81EAF77A9EB84758F249229FC09F6150EB34DC44C760

Function 00ECBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00ECC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ECB6AE,?,?), ref: 00ECC9B5
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECC9F1
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA68
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ECBD25
RegCloseKey.ADVAPI32(00000000), ref: 00ECBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00ECBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00ECBDF3
RegCloseKey.ADVAPI32(?), ref: 00ECBDFF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 041510a004c22bf3000a359443c0b4637dbd86494c6b5b80a69e8e49b2589c96
Instruction ID: 47eb1c94af0c87e90d23af818d55cfa9468ce928fb1f652e818b50b6ea9e1e11
Opcode Fuzzy Hash: 041510a004c22bf3000a359443c0b4637dbd86494c6b5b80a69e8e49b2589c96
Instruction Fuzzy Hash: 9581A230108241AFC714DF24D585E2ABBE5FF84308F14595DF55AAB2A2CB32ED06CB92

Function 00E9F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00E9F7B9
SysAllocString.OLEAUT32(00000001), ref: 00E9F860
VariantCopy.OLEAUT32(00E9FA64,00000000), ref: 00E9F889
VariantClear.OLEAUT32(00E9FA64), ref: 00E9F8AD
VariantCopy.OLEAUT32(00E9FA64,00000000), ref: 00E9F8B1
VariantClear.OLEAUT32(?), ref: 00E9F8BB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 62059b90202953d415ed9a807059ea7066202e0ccbcaa05ebc5c4b30746c2d52
Instruction ID: 450ec3434c5eb298e56546a3b199cca0c54bc77d5d0353a92994bf83758c2b8b
Opcode Fuzzy Hash: 62059b90202953d415ed9a807059ea7066202e0ccbcaa05ebc5c4b30746c2d52
Instruction Fuzzy Hash: EA51B531600310BACF24ABA5D895B69B3E9EF85324B24A467E905FF296DB70CC40C796

Function 00EB910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00EB94E5
_wcslen.LIBCMT ref: 00EB9506
_wcslen.LIBCMT ref: 00EB952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00EB9585

Strings

X, xrefs: 00EB9412

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 0e48e35d56684a25aa594b0416d421dc809458c7f4176d0e237f64049a7d2283
Instruction ID: a8b149f197423e1622a18e378fd52fbbdf8282cc479f183d2801d30be547167d
Opcode Fuzzy Hash: 0e48e35d56684a25aa594b0416d421dc809458c7f4176d0e237f64049a7d2283
Instruction Fuzzy Hash: 12E1B0319083008FD724DF24D881AABB7E5FF85314F14996DF999AB2A2DB31DD05CB92

Function 00E5920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

BeginPaint.USER32(?,?,?), ref: 00E59241
GetWindowRect.USER32(?,?), ref: 00E592A5
ScreenToClient.USER32(?,?), ref: 00E592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E592D3
EndPaint.USER32(?,?,?,?,?), ref: 00E59321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00E971EA

Part of subcall function 00E59339: BeginPath.GDI32(00000000), ref: 00E59357

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 1d4294e9c280fa81eab6007ceb2fee3f67e1a92403cadfb7d4d0faf6bb3427b0
Instruction ID: 363ff46f6508d0a2aa9bcec269e5d88ed3cf95727aefe36ff468b5f91a2d2ae4
Opcode Fuzzy Hash: 1d4294e9c280fa81eab6007ceb2fee3f67e1a92403cadfb7d4d0faf6bb3427b0
Instruction Fuzzy Hash: B741AD30105201EFDB10DF25DC84FEA7BF8FB55765F140629FAA4A72A2C7309849EB61

Function 00EB07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00EB080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00EB0847
EnterCriticalSection.KERNEL32(?), ref: 00EB0863
LeaveCriticalSection.KERNEL32(?), ref: 00EB08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00EB08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EB0921

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 254bc63a36f5cc84066a72a54ece0467c017357ca7f21596209bf0723861b8ef
Instruction ID: 919511a540d3421a9d999c9b1631059f5ae623144fd60fbbfea01912a914a7d7
Opcode Fuzzy Hash: 254bc63a36f5cc84066a72a54ece0467c017357ca7f21596209bf0723861b8ef
Instruction Fuzzy Hash: 35417A71900206EFDF14AF54DC85AAB77B8FF44310F1440A9ED04AA2A7DB30EE65DBA0

Function 00ED81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00E9F3AB,00000000,?,?,00000000,?,00E9682C,00000004,00000000,00000000), ref: 00ED824C
EnableWindow.USER32(?,00000000), ref: 00ED8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00ED82D1
ShowWindow.USER32(?,00000004), ref: 00ED82E5
EnableWindow.USER32(?,00000001), ref: 00ED830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00ED832F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5af9e2be6c5f94a45134bcf6d52339766a769359a7f7043a88eb9d773b467daf
Instruction ID: a6b0b1a890bb936de5b01c693d9173578348a4f21f391a5632a78022a34eab7e
Opcode Fuzzy Hash: 5af9e2be6c5f94a45134bcf6d52339766a769359a7f7043a88eb9d773b467daf
Instruction Fuzzy Hash: 1D41C634601644EFDB11CF25DE95BE47BF0FB06718F19626AE6586B3B2CB319846CB40

Function 00EA4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00EA4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EA4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EA4CEA
_wcslen.LIBCMT ref: 00EA4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EA4D10
_wcsstr.LIBVCRUNTIME ref: 00EA4D1A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 234b91dec567e51166eb5269a994e19394dea2f4abfb4e0c13a5843eb0e223a0
Instruction ID: faf10d4f2e7820a5b406741725f825797ec148135719de54c3c35dec55a70770
Opcode Fuzzy Hash: 234b91dec567e51166eb5269a994e19394dea2f4abfb4e0c13a5843eb0e223a0
Instruction Fuzzy Hash: 262107B16052017BEB155B39AC0AE7B7BDCDF8A760F10502AF809EE1D1DEA1EC00C2A1

Function 00EB581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E43A97,?,?,00E42E7F,?,?,?,00000000), ref: 00E43AC2

_wcslen.LIBCMT ref: 00EB587B
CoInitialize.OLE32(00000000), ref: 00EB5995
CoCreateInstance.OLE32(00EDFCF8,00000000,00000001,00EDFB68,?), ref: 00EB59AE
CoUninitialize.OLE32 ref: 00EB59CC

Strings

.lnk, xrefs: 00EB5876, 00EB58C1, 00EB5985

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: cf30eff35cfb344b81d1ca51b5ddf31d0d981713cc1ccf01e2524fdede9dd7e8
Instruction ID: efc111af340f888dc017c464b0ad053b320e9fe2f8cf764c41d62032c8b0cebb
Opcode Fuzzy Hash: cf30eff35cfb344b81d1ca51b5ddf31d0d981713cc1ccf01e2524fdede9dd7e8
Instruction Fuzzy Hash: 0ED16472A087019FC714DF24C480A6BBBE1EF89714F14985DF899AB361DB31EC45CB92

Function 00EA175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EA0FCA
Part of subcall function 00EA0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EA0FD6
Part of subcall function 00EA0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EA0FE5
Part of subcall function 00EA0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EA0FEC
Part of subcall function 00EA0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EA1002

GetLengthSid.ADVAPI32(?,00000000,00EA1335), ref: 00EA17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EA17BA
HeapAlloc.KERNEL32(00000000), ref: 00EA17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EA17DA
GetProcessHeap.KERNEL32(00000000,00000000,00EA1335), ref: 00EA17EE
HeapFree.KERNEL32(00000000), ref: 00EA17F5

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 45b086bf88dcee8625e626b7714ca2d0df3268a492d03d8667c4b993e6b22f59
Instruction ID: a730db22cb49a51665b7ba171a6345e474ba00baf55a3c1d29c21ab1d3978dc5
Opcode Fuzzy Hash: 45b086bf88dcee8625e626b7714ca2d0df3268a492d03d8667c4b993e6b22f59
Instruction Fuzzy Hash: 9611E131506206FFDB108FA4DC48FAE7BB8EB4B359F20605AF441BB150C731A944CB60

Function 00EA14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EA14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00EA1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EA1515
CloseHandle.KERNEL32(00000004), ref: 00EA1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EA154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EA1563

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d281599537196fea392ca71bbfa90361465db7c896bcb64a770b1d4a394fb1f9
Instruction ID: 620e614c07e9cd8a24927c0a678fab361a2a417e3a727b7359f4ee3fe8221be6
Opcode Fuzzy Hash: d281599537196fea392ca71bbfa90361465db7c896bcb64a770b1d4a394fb1f9
Instruction Fuzzy Hash: 1D11897250120AAFDF118FA8ED09BDE3BA9EF49748F144056FA05B60A0C371DE64DB60

Function 00E63382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E63379,00E62FE5), ref: 00E63390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E6339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E633B7
SetLastError.KERNEL32(00000000,?,00E63379,00E62FE5), ref: 00E63409

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 760bb5bbf5e28f65ecf767418523f611f54a98a731783cad0d38e5301ab194e8
Instruction ID: e02629d24045e691c59801bcf201368607c2b4cbedd1fa2aec1a85c3f1efa03f
Opcode Fuzzy Hash: 760bb5bbf5e28f65ecf767418523f611f54a98a731783cad0d38e5301ab194e8
Instruction Fuzzy Hash: 7E01D4326C9312BEEA252775BC8556B2E94EB157F9720232AF520F12F0EF114E16A584

Function 00E72D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E75686,00E83CD6,?,00000000,?,00E75B6A,?,?,?,?,?,00E6E6D1,?,00F08A48), ref: 00E72D78
_free.LIBCMT ref: 00E72DAB
_free.LIBCMT ref: 00E72DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00E6E6D1,?,00F08A48,00000010,00E44F4A,?,?,00000000,00E83CD6), ref: 00E72DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00E6E6D1,?,00F08A48,00000010,00E44F4A,?,?,00000000,00E83CD6), ref: 00E72DEC
_abort.LIBCMT ref: 00E72DF2

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e402ab0083cb0ef9a009b897f59d3a6bf66e6ccb54d79975a336e564c89dd3a9
Instruction ID: f4f44b87e7a7f2cad65053029bfcf22b073f2c3f642cc767a77613655dc20213
Opcode Fuzzy Hash: e402ab0083cb0ef9a009b897f59d3a6bf66e6ccb54d79975a336e564c89dd3a9
Instruction Fuzzy Hash: F1F028319056013BC6322339BC06E5A26A9AFC17A4F34E11DFB2CB21E6EF2088825260

Function 00ED8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E59639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E59693
Part of subcall function 00E59639: SelectObject.GDI32(?,00000000), ref: 00E596A2
Part of subcall function 00E59639: BeginPath.GDI32(?), ref: 00E596B9
Part of subcall function 00E59639: SelectObject.GDI32(?,00000000), ref: 00E596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00ED8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00ED8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00ED8A70
LineTo.GDI32(?,00000000,00000003), ref: 00ED8A80
EndPath.GDI32(?), ref: 00ED8A90
StrokePath.GDI32(?), ref: 00ED8AA0

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 92811e0ce3a2b15a05f74afbbe62621b5e33b1af4d5697fa722a79b229afbf88
Instruction ID: 3d8d872bbe340496467df8325d04dcae833a2bf500abad9110ff38416d0d15c4
Opcode Fuzzy Hash: 92811e0ce3a2b15a05f74afbbe62621b5e33b1af4d5697fa722a79b229afbf88
Instruction Fuzzy Hash: 9511097600114DFFDF129F91EC88EEA7F6CEB08394F108012BA19AA1A1C7719D59DBA0

Function 00EA51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EA5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00EA5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EA5230
ReleaseDC.USER32(00000000,00000000), ref: 00EA5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EA524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00EA5261

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7e6cacf4d2f4e7872cb65bbdbaceb291baddaf895ab6bb396414af7fcd189048
Instruction ID: 5ee6e5e43251f6c8ee21dd1dbc540f1468e018313bd64d945987c263a9ebe22b
Opcode Fuzzy Hash: 7e6cacf4d2f4e7872cb65bbdbaceb291baddaf895ab6bb396414af7fcd189048
Instruction Fuzzy Hash: 49018F75A01719BFEB109BA69C49B4EBFB8EF48751F144066FA04BB290D6709804CBA0

Function 00E41BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E41BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E41BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E41C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E41C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E41C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E41C22

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f2c31b82b125c18e0bd3086d108db1b0c7c5801e9966e094baafa347a8979dcb
Instruction ID: 2e5cb0a1c8bee41dca7816845741dd2ec213c222263cda0caf1d0ddbc3b1d28e
Opcode Fuzzy Hash: f2c31b82b125c18e0bd3086d108db1b0c7c5801e9966e094baafa347a8979dcb
Instruction Fuzzy Hash: 46016CB090275A7DE3008F5A8C85B52FFA8FF19754F00411B915C47941C7F5A864CBE5

Function 00EAEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EAEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EAEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00EAEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EAEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EAEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EAEB75

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e4268b1669d5fc7ef357529e9ed540a846981f4a7a119c641700315fedf604ac
Instruction ID: 150cd661603dbfd7cf676f9841ff766ae6dbcb98c4eb4d3ad65efa942c1276ed
Opcode Fuzzy Hash: e4268b1669d5fc7ef357529e9ed540a846981f4a7a119c641700315fedf604ac
Instruction Fuzzy Hash: CFF06D72142129BFEA205B53AC0DEAF3B7CEBCAF51F10015AF611E109097A05A05C6B5

Function 00E97439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00E97452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00E97469
GetWindowDC.USER32(?), ref: 00E97475
GetPixel.GDI32(00000000,?,?), ref: 00E97484
ReleaseDC.USER32(?,00000000), ref: 00E97496
GetSysColor.USER32(00000005), ref: 00E974B0

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f2e48a5e8a203443d3c33271ce0f9735b5c93dfd994dafb16a654df9d47eecf3
Instruction ID: 6b1abf6515557d62da2d50c6614d7234559e2bc744a6dd33fd0f560afca48da2
Opcode Fuzzy Hash: f2e48a5e8a203443d3c33271ce0f9735b5c93dfd994dafb16a654df9d47eecf3
Instruction Fuzzy Hash: EC018B31405216EFDB105FA5EC08BEE7BB6FB04751F210161F925B21A1CB311E49EB51

Function 00EA1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EA187F
UnloadUserProfile.USERENV(?,?), ref: 00EA188B
CloseHandle.KERNEL32(?), ref: 00EA1894
CloseHandle.KERNEL32(?), ref: 00EA189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EA18A5
HeapFree.KERNEL32(00000000), ref: 00EA18AC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 715406c03e5c085824a071c9258aaedfa3a43c1dddc250e49885c144f7f14695
Instruction ID: d614da822dc974fa651dc61df538268893f676eacd53a44d8fa61df08f34cb84
Opcode Fuzzy Hash: 715406c03e5c085824a071c9258aaedfa3a43c1dddc250e49885c144f7f14695
Instruction Fuzzy Hash: 4BE0ED36046112FFDB016FA2FD0C905BF39FF497627208222F225A10B1CB325464DF50

Function 00EC7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00E60242: EnterCriticalSection.KERNEL32(00F1070C,00F11884,?,?,00E5198B,00F12518,?,?,?,00E412F9,00000000), ref: 00E6024D
Part of subcall function 00E60242: LeaveCriticalSection.KERNEL32(00F1070C,?,00E5198B,00F12518,?,?,?,00E412F9,00000000), ref: 00E6028A

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00E600A3: __onexit.LIBCMT ref: 00E600A9

__Init_thread_footer.LIBCMT ref: 00EC7BFB

Part of subcall function 00E601F8: EnterCriticalSection.KERNEL32(00F1070C,?,?,00E58747,00F12514), ref: 00E60202
Part of subcall function 00E601F8: LeaveCriticalSection.KERNEL32(00F1070C,?,00E58747,00F12514), ref: 00E60235

Strings

+T, xrefs: 00EC7E2E
Variable must be of type 'Object'., xrefs: 00EC7C3A
5, xrefs: 00EC7C78
G, xrefs: 00EC7C7F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4125810065
Opcode ID: dbe3864bf993556a72dbc435e017635fff988c9dff5b0e257e4dc99fafa0cb0e
Instruction ID: 10eb7524a06a5a67d28265376f074236a43182abe8de1e3c9cfc2b4e1cdba1f7
Opcode Fuzzy Hash: dbe3864bf993556a72dbc435e017635fff988c9dff5b0e257e4dc99fafa0cb0e
Instruction Fuzzy Hash: 2F916C70A04209AFCB14EF54DA91EADBBB1AF49304F14905DF8467B292DB32AE42DB51

Function 00EAC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EAC6EE
_wcslen.LIBCMT ref: 00EAC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EAC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EAC7CA

Strings

0, xrefs: 00EAC6AF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 1c18eba0ae74d1bb01005691d7b105480505f1144781ecfb6fb10b5ec3eaaf5d
Instruction ID: cbc50b5b6453b23a3a1e6e7a0336678204d605d018395e37335225295087895a
Opcode Fuzzy Hash: 1c18eba0ae74d1bb01005691d7b105480505f1144781ecfb6fb10b5ec3eaaf5d
Instruction Fuzzy Hash: 2351F1716043019BD715DF38C845BAB77E4AF8E318F242A2AF991FB190DB60E844CF92

Function 00ECAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00ECAEA3

Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625

GetProcessId.KERNEL32(00000000), ref: 00ECAF38
CloseHandle.KERNEL32(00000000), ref: 00ECAF67

Strings

<, xrefs: 00ECAE6B
@, xrefs: 00ECAE72

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 718ab0be92067c34ef975ceafcb9c407074784871bf4bf28c79ce06a66bba878
Instruction ID: be7966c8a278d4893d5704f8a0107b02a26ef6b9975dee78fced07550e577778
Opcode Fuzzy Hash: 718ab0be92067c34ef975ceafcb9c407074784871bf4bf28c79ce06a66bba878
Instruction Fuzzy Hash: 7F715470A002199FCB14DF54D584A9EBBF1EF08318F0894ADE856BB352CB35ED46CB91

Function 00EA719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EA7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EA723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EA724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EA72CF

Strings

DllGetClassObject, xrefs: 00EA7242

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4f028085f7fdb0b7a35351b5efafca64da0cf17e9a8bda4de1e5ac6f21c51942
Instruction ID: 977ad8cc838fc0e221e033bbc923bb2a4ae59e945a5346e7ca7e94f7752afa8f
Opcode Fuzzy Hash: 4f028085f7fdb0b7a35351b5efafca64da0cf17e9a8bda4de1e5ac6f21c51942
Instruction Fuzzy Hash: D5418EB1604204AFDB15CF54CC84B9A7BB9EF49314F2490AABD45EF21AD7B0E945CBA0

Function 00ED3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED3E35
IsMenu.USER32(?), ref: 00ED3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00ED3E92
DrawMenuBar.USER32 ref: 00ED3EA5

Strings

0, xrefs: 00ED3D89

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 89dd0c6610d5b7896fd7e017023fb927689fe4c993ba2fe0caa38c8993cb43ed
Instruction ID: fc1d7419be2efa0cd654330377cb68e221dd8fd4654fc2a707edc2fd3b4fff32
Opcode Fuzzy Hash: 89dd0c6610d5b7896fd7e017023fb927689fe4c993ba2fe0caa38c8993cb43ed
Instruction Fuzzy Hash: 2A416875A01309AFDB10DF60E884AEABBB9FF48354F04512AED05A7390D730AE46CF51

Function 00EA1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EA1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EA1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EA1EA9

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

Strings

ListBox, xrefs: 00EA1E25
ComboBox, xrefs: 00EA1DF0

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: c894ab1defa42a06ceb06a4b2f30949d772330ece2aca0882e4f93ba53e304f1
Instruction ID: dacf1ac69f920cf170e19436c7e464cbcfd6e8a580e21d2cb6399e3df644d4cc
Opcode Fuzzy Hash: c894ab1defa42a06ceb06a4b2f30949d772330ece2aca0882e4f93ba53e304f1
Instruction Fuzzy Hash: 24212771A00104BEDB14AB64EC46CFFBBF9DF4A3A4F10A119F825BB1E1DB346909D621

Function 00ECC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ECC9F1
_wcslen.LIBCMT ref: 00ECCA68
_wcslen.LIBCMT ref: 00ECCA9E
_wcslen.LIBCMT ref: 00ECCAF9
_wcslen.LIBCMT ref: 00ECCB2F
_wcslen.LIBCMT ref: 00ECCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00ECCA62, 00ECCA67
HKLM, xrefs: 00ECCA98, 00ECCA9D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 67df58650428ff65378e999df8095ba634c22de45a42510152ed6121c00981be
Instruction ID: da72670da219dcfd00e0bc09db94905488c909a6584d5fc174a524776522748f
Opcode Fuzzy Hash: 67df58650428ff65378e999df8095ba634c22de45a42510152ed6121c00981be
Instruction Fuzzy Hash: D9314D73A4016E4BCB20EF2C9A44ABF33915BA1748F25601DE85F7B285E673CD42D3A0

Function 00ED2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00ED2F8D
LoadLibraryW.KERNEL32(?), ref: 00ED2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00ED2FA9
DestroyWindow.USER32(?), ref: 00ED2FB1

Strings

SysAnimate32, xrefs: 00ED2F68

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9349e014e0ce185d58f7e3685ac2ab1c88fca2f51a8ecaf3a2c6cf7fda0ecd43
Instruction ID: b71acb02d47604ac5bd48fb0be1ee07bfae6c61e0688dfc2a78c68a40d7f74ba
Opcode Fuzzy Hash: 9349e014e0ce185d58f7e3685ac2ab1c88fca2f51a8ecaf3a2c6cf7fda0ecd43
Instruction Fuzzy Hash: 2C219F71204205AFEB104F64DC80EBB37B9EB69368F106A1EFA50F2290D772DC52A760

Function 00E64D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E64D1E,00E728E9,(,00E64CBE,00000000,00F088B8,0000000C,00E64E15,(,00000002), ref: 00E64D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E64DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00E64D1E,00E728E9,(,00E64CBE,00000000,00F088B8,0000000C,00E64E15,(,00000002,00000000), ref: 00E64DC3

Strings

mscoree.dll, xrefs: 00E64D86
CorExitProcess, xrefs: 00E64D98

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 961263a0705ac434497514321bf30bba9a01d767c6c041685291de66b7b8a5d8
Instruction ID: c7322128ec536831a87c3b8e78fd65c9853a6815767fe1da06cd6706fb20e3f2
Opcode Fuzzy Hash: 961263a0705ac434497514321bf30bba9a01d767c6c041685291de66b7b8a5d8
Instruction Fuzzy Hash: A7F0AF74A41219BFDB109F91EC09BAEBBB8EF44795F1001A5F805B22A0CF705984DA91

Function 00E44E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E44EDD,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E44EAE
FreeLibrary.KERNEL32(00000000,?,?,00E44EDD,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44EC0

Strings

kernel32.dll, xrefs: 00E44E94
Wow64DisableWow64FsRedirection, xrefs: 00E44EA8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0d49e1595c5238e619a4dec6f29f2cc96fdf1d5d982c0dea5d696a144cfc7cf5
Instruction ID: a5b8a858ae6d76e5c5b7353a520cca2b82410db50d34fdd949574660c2285df4
Opcode Fuzzy Hash: 0d49e1595c5238e619a4dec6f29f2cc96fdf1d5d982c0dea5d696a144cfc7cf5
Instruction Fuzzy Hash: BFE08635B036339FD22117267C1CB6F6668EF81BA67151117FC00F6290DF60CD06C0A2

Function 00E44E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E83CDE,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E44E74
FreeLibrary.KERNEL32(00000000,?,?,00E83CDE,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E87

Strings

kernel32.dll, xrefs: 00E44E5B
Wow64RevertWow64FsRedirection, xrefs: 00E44E6E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 685e76d49d0c0599f32aa529235d4e99c93b12f77d4b7a7161479d0591f630fd
Instruction ID: cf264d2b584d901d701e47c044a955c78ba24434dc9bca83246cba6c233affbc
Opcode Fuzzy Hash: 685e76d49d0c0599f32aa529235d4e99c93b12f77d4b7a7161479d0591f630fd
Instruction Fuzzy Hash: BED0C231A036335B8B221B267C08E8F6B2CEF81B953151613B800F7194CF20CD02C1D1

Function 00EB2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EB2C05
DeleteFileW.KERNEL32(?), ref: 00EB2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EB2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EB2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EB2CC0

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 95a36060bf5feb59e1f08f63f5a078b33fafc603a065afaf34a06bb71e73b487
Instruction ID: 74df4bf540242c12a642b7919f6b0f7ff8dd6a1e75fc6ea64051c57a71125987
Opcode Fuzzy Hash: 95a36060bf5feb59e1f08f63f5a078b33fafc603a065afaf34a06bb71e73b487
Instruction Fuzzy Hash: 0FB13A72A01119ABDF21DFA4DC85EDFBBBDEF48350F1050AAF609F6151EA309A448F61

Function 00ECA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00ECA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00ECA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00ECA468
CloseHandle.KERNEL32(?), ref: 00ECA63D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 1e6fc5d244821b5e4c7c3faf44417a140b9f242c209cff43032801192a9e3561
Instruction ID: e81242b043f1189b3a933e80154d22d4634f8b5ed72fe5fa2b9d69a330efe4b1
Opcode Fuzzy Hash: 1e6fc5d244821b5e4c7c3faf44417a140b9f242c209cff43032801192a9e3561
Instruction Fuzzy Hash: 8DA1C1716043009FD720DF24D986F2AB7E1AF84718F18985DF95AAB392D771EC05CB82

Function 00EAE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EACF22,?), ref: 00EADDFD

Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EACF22,?), ref: 00EADE16

Part of subcall function 00EAE199: GetFileAttributesW.KERNEL32(?,00EACF95), ref: 00EAE19A

lstrcmpiW.KERNEL32(?,?), ref: 00EAE473
MoveFileW.KERNEL32(?,?), ref: 00EAE4AC
_wcslen.LIBCMT ref: 00EAE5EB
_wcslen.LIBCMT ref: 00EAE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00EAE650

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 4fffc37df1ad8ea38d65ad114a0e2a98afd416b9b4214b492b98ae7630fc1d26
Instruction ID: c9b7f0c46393860761603c79110719b1bb92513c94719fdaa37aa6efa8532d7b
Opcode Fuzzy Hash: 4fffc37df1ad8ea38d65ad114a0e2a98afd416b9b4214b492b98ae7630fc1d26
Instruction Fuzzy Hash: C25193B24083459BC724DB94EC819DBB3ECAF99344F10191EF589E7192EF34B5888766

Function 00ECB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00ECC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ECB6AE,?,?), ref: 00ECC9B5
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECC9F1
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA68
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ECBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00ECBB63
RegCloseKey.ADVAPI32(?,?), ref: 00ECBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00ECBBB3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ed70b07f19392b05eaaf879fc978ddf3c07f8d656895a689dab2052be7e3e45d
Instruction ID: f7a88e900281ebca27ea71c7c6157301807f4f352db61dad3aea93e297cadce8
Opcode Fuzzy Hash: ed70b07f19392b05eaaf879fc978ddf3c07f8d656895a689dab2052be7e3e45d
Instruction Fuzzy Hash: D461B131208241AFC314DF14C591F2ABBE5FF84308F14955DF499AB2A2CB32ED46CB92

Function 00EA8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EA8BCD
VariantClear.OLEAUT32 ref: 00EA8C3E
VariantClear.OLEAUT32 ref: 00EA8C9D
VariantClear.OLEAUT32(?), ref: 00EA8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EA8D3B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: b5d9c4d64393562bfe1e18aeb4b37633a2d4b5d9a6cd036990f6e7be2eaad840
Instruction ID: 13939e7ca9ba1c99436b7c5c30617b2c4f2268f0300e26e00f23936bae498ed8
Opcode Fuzzy Hash: b5d9c4d64393562bfe1e18aeb4b37633a2d4b5d9a6cd036990f6e7be2eaad840
Instruction Fuzzy Hash: 0A5169B5A0021AEFCB14CF68D894AAAB7F8FF8D314B158559E915EB350E730E911CF90

Function 00EB8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EB8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00EB8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EB8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EB8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EB8C5F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: bcecbba4f759db6ed72fd0e5da7a1f79a939ecde6221ee6e321b82b5e1fa7450
Instruction ID: 9b077bf75f593496199fbb27c5c5b8fe5cc4b25e052cb51899ce243178fe6e66
Opcode Fuzzy Hash: bcecbba4f759db6ed72fd0e5da7a1f79a939ecde6221ee6e321b82b5e1fa7450
Instruction Fuzzy Hash: F0516835A00215AFCB00DF64D881AAEBBF5FF48314F089459E849AB362CB35ED41CF91

Function 00EC8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00EC8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00EC8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00EC8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00EC9032
FreeLibrary.KERNEL32(00000000), ref: 00EC9052

Part of subcall function 00E5F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00EB1043,?,753CE610), ref: 00E5F6E6
Part of subcall function 00E5F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00E9FA64,00000000,00000000,?,?,00EB1043,?,753CE610,?,00E9FA64), ref: 00E5F70D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: a9437bddb9d00975fa404fa061da138d040e1843e1dc5349fd015219b69662b7
Instruction ID: aa355bd4e8cb84cb994bc38e46ae54be88ef8ad67cdfa28c280b8574e26525e6
Opcode Fuzzy Hash: a9437bddb9d00975fa404fa061da138d040e1843e1dc5349fd015219b69662b7
Instruction Fuzzy Hash: 3C514934601245DFC715DF58C685DADBBF1FF49314B0490A9E80AAB362DB32ED86CB90

Function 00ED6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00ED6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00ED6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00ED6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EBAB79,00000000,00000000), ref: 00ED6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00ED6CC7

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: cd24e5426c96d44d4a7f8b964efee2fc7fa0d45c1b4c2f3f8fb3eb07190b31d9
Instruction ID: 799f39137f5f52045aecca97fab1c80b62ce69a3fc543ed0ffc5c003a9d17f9f
Opcode Fuzzy Hash: cd24e5426c96d44d4a7f8b964efee2fc7fa0d45c1b4c2f3f8fb3eb07190b31d9
Instruction Fuzzy Hash: 5E41F235A10104AFDB24CF28CD58FE9BBA5EB09364F15122AF999B73E0C371ED42DA40

Function 00E72051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E720C3
_free.LIBCMT ref: 00E720E3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 64f8b19f632615cf1a276ba881ab003d14d69f53de49c0016f29dd456f6d3117
Instruction ID: cd7e69a10f852b5aab075beab2ad2d339550c3e0b27d0774d95a3b93812abff3
Opcode Fuzzy Hash: 64f8b19f632615cf1a276ba881ab003d14d69f53de49c0016f29dd456f6d3117
Instruction Fuzzy Hash: 2141D032A002049FCB24DF78C881A5AB3E5EF89714F1595ACEA19FB391DA31AD01CB91

Function 00E5912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E59141
ScreenToClient.USER32(00000000,?), ref: 00E5915E
GetAsyncKeyState.USER32(00000001), ref: 00E59183
GetAsyncKeyState.USER32(00000002), ref: 00E5919D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 76d069d338b80cf55d25338acacce8cfde2718ba0fec15de47143e74676e0f7a
Instruction ID: baf4d275da3b464599714efb5dfd114e718788abab21433b877a6f279035e678
Opcode Fuzzy Hash: 76d069d338b80cf55d25338acacce8cfde2718ba0fec15de47143e74676e0f7a
Instruction Fuzzy Hash: 6C41AE31A0961AEBCF059F65C844BEEB7B4FB05324F20961AE865B3291C7306D58CB91

Function 00EB3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00EB38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EB3922
TranslateMessage.USER32(?), ref: 00EB394B
DispatchMessageW.USER32(?), ref: 00EB3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EB3966

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: dc01d18e4c4d446e3876b5eb96921b573e6120377a83fe4a74e6a56e34579d24
Instruction ID: c6728e7153dd4feb5041d68c68f5db282ea6e8817dee8268f75e6e9e142d2f22
Opcode Fuzzy Hash: dc01d18e4c4d446e3876b5eb96921b573e6120377a83fe4a74e6a56e34579d24
Instruction Fuzzy Hash: 1131F770504346AEEB35CB35AC4ABF737A8EB45308F14556EE562F20E4E7B0A684DB11

Function 00EBCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00EBC21E,00000000), ref: 00EBCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00EBCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00EBC21E,00000000), ref: 00EBCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EBC21E,00000000), ref: 00EBCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EBC21E,00000000), ref: 00EBCFF2

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 311d0d149cdee145417f6af41d4ebe06f22a7fd64144194d33a733109625ba5a
Instruction ID: ebd7083ffc46257bbc1cc54fab4837c6c59a6fdefd3c0d55717972259e33a59b
Opcode Fuzzy Hash: 311d0d149cdee145417f6af41d4ebe06f22a7fd64144194d33a733109625ba5a
Instruction Fuzzy Hash: AC317F71608206AFDB20DFA5D884AFBBBF9EB04355B20546EF506F2110DB30ED44DB60

Function 00EA1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EA1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00EA19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00EA19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00EA19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00EA19E2

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: abbb4e803998ab71ff554713817aab1b2926695a6e3632324af8e15125375e15
Instruction ID: 9ae2c9aff18c90bc5f528b2adfab5caa044e1170d5e16431cf0b92fc0fdb2b60
Opcode Fuzzy Hash: abbb4e803998ab71ff554713817aab1b2926695a6e3632324af8e15125375e15
Instruction Fuzzy Hash: 7931BF71A00219EFCB00CFA8DD99ADE3BB5EB49319F105269F921BB2D1C770A944CB91

Function 00ED5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00ED5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00ED579D
_wcslen.LIBCMT ref: 00ED57AF
_wcslen.LIBCMT ref: 00ED57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00ED5816

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7853552fc24abcfea64eb0c5ac2e4d8574659fcff593a9d0fdde61b70bbf8ef4
Instruction ID: 28abeefc88f35858909d67efaf2f1050308fd46c2695c9a7c6265eae038dc50d
Opcode Fuzzy Hash: 7853552fc24abcfea64eb0c5ac2e4d8574659fcff593a9d0fdde61b70bbf8ef4
Instruction Fuzzy Hash: 4A218272904618DADB209FA4DC85AEE77B8FF44764F109217F929FA2C0D7708986CF51

Function 00EC0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EC0951
GetForegroundWindow.USER32 ref: 00EC0968
GetDC.USER32(00000000), ref: 00EC09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00EC09B0
ReleaseDC.USER32(00000000,00000003), ref: 00EC09E8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3d5ec06e6be6a2ec547238e01b0d41292d55be7854571635f366bf40965ef50d
Instruction ID: 850208b914a90bea2fc945abd24a45b807ec483a6b797e2048a9e1ebefe1b1ad
Opcode Fuzzy Hash: 3d5ec06e6be6a2ec547238e01b0d41292d55be7854571635f366bf40965ef50d
Instruction Fuzzy Hash: D5216F35600214AFD704EF65D984AAFBBF9EF84740F14806DE85AA7752CB34EC05CB90

Function 00E7CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E7CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E7CDE9

Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E7CE0F
_free.LIBCMT ref: 00E7CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E7CE31

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8e211bed2e476e3251588a7bedc831112cb66962ebc9b52ff9bccfb33699438e
Instruction ID: 2bc6deab2bb7af8136acedee3283433536b9666fe269d0baed958d564dc1eb13
Opcode Fuzzy Hash: 8e211bed2e476e3251588a7bedc831112cb66962ebc9b52ff9bccfb33699438e
Instruction Fuzzy Hash: B701D8726026157F272116B76C48C7F6B6DDFC6BA5335912EFA0DF7100DA608D0281B1

Function 00E59639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E59693
SelectObject.GDI32(?,00000000), ref: 00E596A2
BeginPath.GDI32(?), ref: 00E596B9
SelectObject.GDI32(?,00000000), ref: 00E596E2

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 02d8046ec9496c37e41cfc7a31732ca4a9a44cd749eac77ec1b447dd00859b99
Instruction ID: 96edd93b0ff5e1762962b1063070f3ed5d6b03a05127e4a10152ee35680e4a56
Opcode Fuzzy Hash: 02d8046ec9496c37e41cfc7a31732ca4a9a44cd749eac77ec1b447dd00859b99
Instruction Fuzzy Hash: CD217F7080230AEFDB119F25EC157E97BB9FB0039AF518616F920B61A1D3B4589DEF90

Function 00EA5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EA5726
_memcmp.LIBVCRUNTIME ref: 00EA5744
_memcmp.LIBVCRUNTIME ref: 00EA5757
_memcmp.LIBVCRUNTIME ref: 00EA576F
_memcmp.LIBVCRUNTIME ref: 00EA5787

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4623e1739c9d2d9416b92bf413b6ed4ce56eae1b2a4949f867b583ac571056a9
Instruction ID: 7cd66e6c8aa6c6658acfb82ecf304b474b2c4f2f2ee5da72dfcea1b05c795d9e
Opcode Fuzzy Hash: 4623e1739c9d2d9416b92bf413b6ed4ce56eae1b2a4949f867b583ac571056a9
Instruction Fuzzy Hash: 5E019663681B15FAD21896109D42EFA639CDB263A8B046423FD16BE741F760FD2182A4

Function 00E72DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E6F2DE,00E73863,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6), ref: 00E72DFD
_free.LIBCMT ref: 00E72E32
_free.LIBCMT ref: 00E72E59
SetLastError.KERNEL32(00000000,00E41129), ref: 00E72E66
SetLastError.KERNEL32(00000000,00E41129), ref: 00E72E6F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 451b0e8758167728a1ec146d160ef447aa1d2f15f98bde7b42a1efc58b2fb1ea
Instruction ID: 19c694f109b8a64850f39f713806696a292162cfa5efd4de4476ca35cfdaec15
Opcode Fuzzy Hash: 451b0e8758167728a1ec146d160ef447aa1d2f15f98bde7b42a1efc58b2fb1ea
Instruction Fuzzy Hash: 2D01F4326056017BCA1327357C45D6B2699EBC57A9B34E12DFA2DB22D7EF608C455120

Function 00EA000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?,?,00EA035E), ref: 00EA002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?), ref: 00EA0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?), ref: 00EA0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?), ref: 00EA0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?), ref: 00EA0070

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 96121ec54e96c2ce0623c10d480e5f7ad02d8d1ccccee6345f4d8435bf5f95ca
Instruction ID: 7444c391303644cf44aa893cc0f81cbe286243414928a68390714c92e92bf72a
Opcode Fuzzy Hash: 96121ec54e96c2ce0623c10d480e5f7ad02d8d1ccccee6345f4d8435bf5f95ca
Instruction Fuzzy Hash: 0E01DF76601205BFDB114F69EC84FAA7BAEEB48391F205525F901FA210D770ED04EBA0

Function 00EAE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00EAE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00EAE9A5
Sleep.KERNEL32(00000000), ref: 00EAE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00EAE9B7
Sleep.KERNEL32 ref: 00EAE9F3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f9a13e6ec150ada6519e59df6a1252185b470ecd992cbc07d43dc29173e75878
Instruction ID: e3d63f35112c54a2666c8e82089d6d7e4d206e70a9d1a55f17bfa369f46f7330
Opcode Fuzzy Hash: f9a13e6ec150ada6519e59df6a1252185b470ecd992cbc07d43dc29173e75878
Instruction Fuzzy Hash: 59011E31C02629DBCF049BE5E8596DEBBB8FB4E701F101596D502B6251CB30A555C761

Function 00EA10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EA1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EA114D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 31454a0a9608b3db796ffc5d33f8fc8f3d3ff7ca17912d6e98bb23ef8a9baadf
Instruction ID: 47d7a2c050437b53b17b8c7ff0b2009dba360d369c0c3795d0176d19cc3eef03
Opcode Fuzzy Hash: 31454a0a9608b3db796ffc5d33f8fc8f3d3ff7ca17912d6e98bb23ef8a9baadf
Instruction Fuzzy Hash: 4A016D75102216BFDB114F65EC49A6A3B7EEF8A3A4B200456FA41E7350DA31DC40DA60

Function 00EA0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EA0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EA0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EA0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EA0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EA1002

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 02ff084c8d1b68331c6aa745fc8bd3d8b14f42a238fe9d2d0555106af9166e73
Instruction ID: 7c77fcc91fead49e183515841903845c7a65768db442f8b3c8d980066b8ca2d7
Opcode Fuzzy Hash: 02ff084c8d1b68331c6aa745fc8bd3d8b14f42a238fe9d2d0555106af9166e73
Instruction Fuzzy Hash: B1F0C235102312EFD7210FA5EC8DF563B6EEF8A7A1F210455F905EB290CA30EC40CA60

Function 00EA1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EA102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1062

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 18516ab73edff971aeb3cb4e5f38c300e2424b85c7d698aa45adb3b07ecd351a
Instruction ID: 46cb90a7561caadf5b62cc306215be335a7b23694a0d98121feeb7d4df6a8802
Opcode Fuzzy Hash: 18516ab73edff971aeb3cb4e5f38c300e2424b85c7d698aa45adb3b07ecd351a
Instruction Fuzzy Hash: 11F0C235102312EFD7211FA5EC48F563B6DEF8A7A1F200455F905EB290CA70E840DA60

Function 00EB030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB0324
CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB0331
CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB033E
CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB034B
CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB0358
CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB0365

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f426876a7d5014a6726304705876ebb49322127cf1dce596496e5d73ae446639
Instruction ID: 78392f5885e1dd9961208f84140a4a92bd5d30d7fb00fb11d704c16a696bcd54
Opcode Fuzzy Hash: f426876a7d5014a6726304705876ebb49322127cf1dce596496e5d73ae446639
Instruction Fuzzy Hash: 8F019872801B159FCB30AF66D890857FBF9BF602193159A3FD19662931C7B1B998CE80

Function 00E7D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E7D752

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E7D764
_free.LIBCMT ref: 00E7D776
_free.LIBCMT ref: 00E7D788
_free.LIBCMT ref: 00E7D79A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 89767dfb9f3cf4f79e66ec8e3085421ecaa4f5182c64b26ebf1a35078788a09f
Instruction ID: 0f2aa021962741d8a21089b66f5c351f36036ac5fd86597201046be43c65df55
Opcode Fuzzy Hash: 89767dfb9f3cf4f79e66ec8e3085421ecaa4f5182c64b26ebf1a35078788a09f
Instruction Fuzzy Hash: 8AF0F4325442086BC615EB78FDC5C167BEDBF84714B98A90AF24DF7541C720FC8057A4

Function 00EA5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00EA5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00EA5C6F
MessageBeep.USER32(00000000), ref: 00EA5C87
KillTimer.USER32(?,0000040A), ref: 00EA5CA3
EndDialog.USER32(?,00000001), ref: 00EA5CBD

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d483f00ca8cf0c5ac445a47846b6a8425ee444bbd6f56343f898b4005d0b6c11
Instruction ID: 1df7a4f36c46794eb65754a06a7ff6c982cfc70f1d19324ca0702e948f66677f
Opcode Fuzzy Hash: d483f00ca8cf0c5ac445a47846b6a8425ee444bbd6f56343f898b4005d0b6c11
Instruction Fuzzy Hash: 9701DB315007049FEB205B11FD4EFD6B7B8FB05B45F04125AA553750E0D7F0A988CE50

Function 00E722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E722BE

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E722D0
_free.LIBCMT ref: 00E722E3
_free.LIBCMT ref: 00E722F4
_free.LIBCMT ref: 00E72305

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2800826fc0d51c5b41c8c126e872f9fa26adf9201f00b0feb81a1e53bb48c381
Instruction ID: e65591eb819ed53545c59c5401482ce965ab5dac436fccc7917a3d2953c789dc
Opcode Fuzzy Hash: 2800826fc0d51c5b41c8c126e872f9fa26adf9201f00b0feb81a1e53bb48c381
Instruction Fuzzy Hash: 85F030704011588BC712AF64BC028897BE5F758750B07D60EF718E22B1CB750492BBE4

Function 00E595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E595D4
StrokeAndFillPath.GDI32(?,?,00E971F7,00000000,?,?,?), ref: 00E595F0
SelectObject.GDI32(?,00000000), ref: 00E59603
DeleteObject.GDI32 ref: 00E59616
StrokePath.GDI32(?), ref: 00E59631

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 6bbf8f66ed69c308f6845e42e128ba2d140a9d3f3db74ebb79ea42ce467da8a2
Instruction ID: b21b9a874611965ea41406fd076b523946a4e7cf33b05fcab4e5a232b6ed61ed
Opcode Fuzzy Hash: 6bbf8f66ed69c308f6845e42e128ba2d140a9d3f3db74ebb79ea42ce467da8a2
Instruction Fuzzy Hash: 2DF01430006209EFDB225F6AED18BE43B61FB003A6F548215FA25690F1C77189ADEF20

Function 00E70F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00E710F9
__freea.LIBCMT ref: 00E71117

Part of subcall function 00E71537: _free.LIBCMT ref: 00E7154F

Strings

a/p, xrefs: 00E711DE
am/pm, xrefs: 00E7117A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e1239504ff7f474e1f0f45ef7139a7fb6d2dc2386d3d4c32ebddb557d0b1aae2
Instruction ID: 79363974f0a2caa56b8139e7d365087b392a91a3c31ee3966ad40b883119d734
Opcode Fuzzy Hash: e1239504ff7f474e1f0f45ef7139a7fb6d2dc2386d3d4c32ebddb557d0b1aae2
Instruction Fuzzy Hash: C9D13331900346EADB288F6CC885BFAB7B0EF01308F25E199E90DBB651D3359D80DB91

Function 00E75AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 00E75BA8, 00E75C6C

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: 42e9b3fc98ac9d42533902c57b8753ebd6683c8a3567b622775da0b7d2c31167
Instruction ID: 711b3b0861085b4973cd48a19efda04023994b12bed7da3b534e520157357ea4
Opcode Fuzzy Hash: 42e9b3fc98ac9d42533902c57b8753ebd6683c8a3567b622775da0b7d2c31167
Instruction Fuzzy Hash: CE51CD72D0060A9FCB21DFA4D845BFEBBB8EF05314F14A15AF409B7291D7B19A019B61

Function 00E78A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00E78B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00E78B7A
__dosmaperr.LIBCMT ref: 00E78B81

Strings

., xrefs: 00E78A63

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: 15eaf04ec6a3e2ceca022eeca67ee18efd65f2d46f121f1461ed7202f5db236f
Instruction ID: fa8d5bb16e6b8ecbd6563aa16254f46a6b8ab2c2d574a6daa59093ced2a85889
Opcode Fuzzy Hash: 15eaf04ec6a3e2ceca022eeca67ee18efd65f2d46f121f1461ed7202f5db236f
Instruction Fuzzy Hash: 8141AC74604045AFCB249F24D989ABD3FE5DF95304F28E1AAF88CA7242DE318C03A790

Function 00EA2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EAB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EA21D0,?,?,00000034,00000800,?,00000034), ref: 00EAB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EA2760

Part of subcall function 00EAB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EA21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00EAB3F8

Part of subcall function 00EAB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00EAB355
Part of subcall function 00EAB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EA2194,00000034,?,?,00001004,00000000,00000000), ref: 00EAB365
Part of subcall function 00EAB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EA2194,00000034,?,?,00001004,00000000,00000000), ref: 00EAB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EA27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EA281A

Strings

@, xrefs: 00EA2832

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 534e84e9ffff583c87ed146a723acaa7708dd14a0f9f1d70a481a31a87190cc4
Instruction ID: 9a16392ed31f36d3fa3d1925896d3285d41cc600fa1069b4df2214cd7bc86278
Opcode Fuzzy Hash: 534e84e9ffff583c87ed146a723acaa7708dd14a0f9f1d70a481a31a87190cc4
Instruction Fuzzy Hash: 91412E72900218AFDB10DFA4CD45ADEBBB8EF0A700F105099FA55BB181DB707E49CB61

Function 00E7172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00E71769
_free.LIBCMT ref: 00E71834
_free.LIBCMT ref: 00E7183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00E71760, 00E71767, 00E71796, 00E717CE

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: f0de03eff4dabeb4b7573dfb4fe157a85cabfeb7af824f9f6993c990c910f2b3
Instruction ID: a57ff9def3c2e8460bba43a35f9d801641de3cc91962fa96e032715a57bebcbf
Opcode Fuzzy Hash: f0de03eff4dabeb4b7573dfb4fe157a85cabfeb7af824f9f6993c990c910f2b3
Instruction Fuzzy Hash: FB318071A00358AFDB25DF99D881D9EBBFCEB85310B1491AAF908E7211D6708E40DB91

Function 00EAC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EAC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00EAC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F11990,01646678), ref: 00EAC395

Strings

0, xrefs: 00EAC2DF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 62baf5b57b6138a21614c0291b9acc3fa58a1b2113dfbb026950c8716d1e0b2e
Instruction ID: 147338d728e213bc40fe0f33075cf6917c662c7645ebafba140564f7880a5a96
Opcode Fuzzy Hash: 62baf5b57b6138a21614c0291b9acc3fa58a1b2113dfbb026950c8716d1e0b2e
Instruction Fuzzy Hash: DD41B6312043019FDB24DF25D844B5ABBE4EF8A314F24966DF965AB2D1D770F908CB52

Function 00ED4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00EDCC08,00000000,?,?,?,?), ref: 00ED44AA
GetWindowLongW.USER32 ref: 00ED44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ED44D7

Strings

SysTreeView32, xrefs: 00ED447C

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: bc4fac9f7f90270a69a0e95467595796619dfa97ee4dc6cbdc0e79c7b7ce097c
Instruction ID: f4e7309c2971d5131bac03f48c922d94844e0c3b454c94efd4aa8e64ae3f3524
Opcode Fuzzy Hash: bc4fac9f7f90270a69a0e95467595796619dfa97ee4dc6cbdc0e79c7b7ce097c
Instruction Fuzzy Hash: 92318D71210206AFDF219E38EC45BEA77A9EB18338F206716F975A22D0D770EC969750

Function 00EA6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00EA6EED
VariantCopyInd.OLEAUT32(?,?), ref: 00EA6F08
VariantClear.OLEAUT32(?), ref: 00EA6F12

Strings

*j, xrefs: 00EA6E8B, 00EA6E90, 00EA6EF8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-1845181700
Opcode ID: a82a0c5c02af5120b99e7493cd7eaac95f42710ceb1f1baa257e4d08787ff74c
Instruction ID: 1bf968b1655257d7a597c45bea22f64bf146efd910545158aa018b3ccc740453
Opcode Fuzzy Hash: a82a0c5c02af5120b99e7493cd7eaac95f42710ceb1f1baa257e4d08787ff74c
Instruction Fuzzy Hash: 7531B175704215DFCB04AFA4E8519BD77B6EF8B304B141499F8026F2A1C734E916DBD0

Function 00EC304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00EC3077,?,?), ref: 00EC3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EC307A
_wcslen.LIBCMT ref: 00EC309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00EC3106

Strings

255.255.255.255, xrefs: 00EC3095, 00EC309A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: abdadaaf70145b92187e893ae56789abfe46c910027acf83e9dc30ffcd70d2fc
Instruction ID: 82b254272116de5906a97e65622141bb0e56bbfe8f86c201051f37d155e0578a
Opcode Fuzzy Hash: abdadaaf70145b92187e893ae56789abfe46c910027acf83e9dc30ffcd70d2fc
Instruction Fuzzy Hash: 0031A33A6002019FCB10CF39D686FAA77E0EF54318F28D059E915AB392D732EE46C761

Function 00ED3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00ED3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00ED3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00ED3F78

Strings

SysMonthCal32, xrefs: 00ED3F0B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9a0336cae2568fe7907dd5f5dc81d82384319f9eddd03161557528a24f1fde62
Instruction ID: 43313cc4a2ae874ff9bda89ec4204d1d2f8de555ea211939444cecba48ec3db5
Opcode Fuzzy Hash: 9a0336cae2568fe7907dd5f5dc81d82384319f9eddd03161557528a24f1fde62
Instruction Fuzzy Hash: 2421AD32600219BFDF218F60DC46FEA3BB6EB48718F111215FA157B2D0D6B1E855DB90

Function 00ED4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00ED4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00ED4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00ED471A

Strings

msctls_updown32, xrefs: 00ED4684

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f86fbbc50f7583eb00dd39209b388aaa2cbdecd44331c83bb5940f41f3d6c6d9
Instruction ID: ddad5523a81194be1017c5f5903bb85759fdb9c79842cb5d381445d90edacbf5
Opcode Fuzzy Hash: f86fbbc50f7583eb00dd39209b388aaa2cbdecd44331c83bb5940f41f3d6c6d9
Instruction Fuzzy Hash: 2D2151F5600209AFEB10DF64DCC1DA737EDEB5A3A8B14105AF610A7391CB71EC12DA60

Function 00EA95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EA961D

Strings

#notrayicon, xrefs: 00EA95B7
#requireadmin, xrefs: 00EA95D9
#OnAutoItStartRegister, xrefs: 00EA95F3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: a00f9399df49f70daa21e45f3405acc64a11a33d7a796503f57c7384f580cd71
Instruction ID: 1d98ce326d18496520cef90a5a52cf5b25fb8acc13f31e6880b524633ef6c491
Opcode Fuzzy Hash: a00f9399df49f70daa21e45f3405acc64a11a33d7a796503f57c7384f580cd71
Instruction Fuzzy Hash: D121357264421166D331EA24AC02FBB73D8DF9A314F106426F94ABF182EB51BD52C2E5

Function 00ED37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00ED3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00ED3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00ED3876

Strings

Listbox, xrefs: 00ED380F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a8714103e5e488eb544ed7d1e16fb96abb7eefaa25bed9419e9240bea7763c2d
Instruction ID: 7839afd483a48a3b45aff4310c0440d487b00c366db7fc36c346673ad3e0b482
Opcode Fuzzy Hash: a8714103e5e488eb544ed7d1e16fb96abb7eefaa25bed9419e9240bea7763c2d
Instruction Fuzzy Hash: 8721F272600218BFEF218F64DC41FBB376EEF89754F109116F900AB290C671DC1297A1

Function 00EB49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EB4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EB4A5C
SetErrorMode.KERNEL32(00000000,?,?,00EDCC08), ref: 00EB4AD0

Strings

%lu, xrefs: 00EB4A6F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: b16e5bb8456a00d46ba7c8458075a3fc7a8701e99b12415c07b30b1f63208282
Instruction ID: ba811b3137ca246a2fcc93e8136cba30e50e651ddfae59aad3f4bea3de6158fa
Opcode Fuzzy Hash: b16e5bb8456a00d46ba7c8458075a3fc7a8701e99b12415c07b30b1f63208282
Instruction Fuzzy Hash: BE315E71A00219AFDB10DF54C885EAABBF8EF08308F1490A5F909EB253D771ED46CB61

Function 00ED41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00ED424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00ED4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00ED4271

Strings

msctls_trackbar32, xrefs: 00ED4226

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a909184fcf419c6ac527439e339c167a142b082150add3b0b2aee2420c7933ef
Instruction ID: 9b4af89a3c44217aead5768ed787665d8f5e42191f51c593aa2ad765b1430bac
Opcode Fuzzy Hash: a909184fcf419c6ac527439e339c167a142b082150add3b0b2aee2420c7933ef
Instruction Fuzzy Hash: 2311E371240208BFEF205E69CC06FAB3BACEF95B68F111115FA55F61E0D671D8129B10

Function 00EA2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

Part of subcall function 00EA2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EA2DC5
Part of subcall function 00EA2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA2DD6
Part of subcall function 00EA2DA7: GetCurrentThreadId.KERNEL32 ref: 00EA2DDD
Part of subcall function 00EA2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EA2DE4

GetFocus.USER32 ref: 00EA2F78

Part of subcall function 00EA2DEE: GetParent.USER32(00000000), ref: 00EA2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00EA2FC3
EnumChildWindows.USER32(?,00EA303B), ref: 00EA2FEB

Strings

%s%d, xrefs: 00EA2FFF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 0362dba1f4b8b1a9b3cb285e1aba45691725f9f96183ab80433641450f238f0b
Instruction ID: 3f5fae523b1e91279ed15f94f7a4c323ba2716baba336ca6aa8155505a93597b
Opcode Fuzzy Hash: 0362dba1f4b8b1a9b3cb285e1aba45691725f9f96183ab80433641450f238f0b
Instruction Fuzzy Hash: D41196716002055BCF146F749C85EED77A9DF89308F145075FE09BF192DE70A949DB60

Function 00ED5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00ED58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00ED58EE
DrawMenuBar.USER32(?), ref: 00ED58FD

Strings

0, xrefs: 00ED588F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: d0fdcb7045fbb144fe110b71e442ed565183ffc90391dd2fcea45bc853521319
Instruction ID: 23090bbff10462df08205ce6bd8e2b1b3b5a5d919dbbbc43f2b4952617e66e6e
Opcode Fuzzy Hash: d0fdcb7045fbb144fe110b71e442ed565183ffc90391dd2fcea45bc853521319
Instruction Fuzzy Hash: D7018432500218EFDB219F15EC45BEEBBB4FF45365F10909AE859E6251DB308A85DF21

Function 00E9D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00E9D3BF
FreeLibrary.KERNEL32 ref: 00E9D3E5

Strings

X64, xrefs: 00E9D2A8
GetSystemWow64DirectoryW, xrefs: 00E9D3B9

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 9e157bf6757c4d12f15d539337441f6450fde72d494182fb07f81a711bbc2adf
Instruction ID: ed3891ee947bb3beebe8b1a01335d152a57957255eaa80fff1ab9d240c1cbc1c
Opcode Fuzzy Hash: 9e157bf6757c4d12f15d539337441f6450fde72d494182fb07f81a711bbc2adf
Instruction Fuzzy Hash: 93F0E53180F632DBDF7597214C589E93324EF10742FA4BA6AE802F2155DB20CD49D693

Function 00EA007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f428f921a1218c08ee32032ab0d1f6225ce3c1ba697fc11ee52809afe507f83
Instruction ID: f7fa707f98de5a2aebf3311749a10904e16ebfb768561d891c1b9dff9bef9686
Opcode Fuzzy Hash: 1f428f921a1218c08ee32032ab0d1f6225ce3c1ba697fc11ee52809afe507f83
Instruction Fuzzy Hash: 5EC13875A0020AAFDB14CFA8C894BAEB7B5FF49708F209598E505EF251D731EE45CB90

Function 00EC342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EC3459
CoUninitialize.OLE32 ref: 00EC3463
VariantInit.OLEAUT32(?), ref: 00EC346E
VariantClear.OLEAUT32(?), ref: 00EC371B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: be888827a63484088aba7ab07c652a3e347e22f6f0c0eca7abb89b09bdd3a132
Instruction ID: 7463e5888849321e6949a89b51e228dcbb0178211be015e02ba9c019b6389e5c
Opcode Fuzzy Hash: be888827a63484088aba7ab07c652a3e347e22f6f0c0eca7abb89b09bdd3a132
Instruction Fuzzy Hash: 5FA167756042109FC700DF28C585E6AB7E5FF88314F14985DF98AAB362DB35EE06CB91

Function 00EA0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00EDFC08,?), ref: 00EA05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00EDFC08,?), ref: 00EA0608
CLSIDFromProgID.OLE32(?,?,00000000,00EDCC40,000000FF,?,00000000,00000800,00000000,?,00EDFC08,?), ref: 00EA062D
_memcmp.LIBVCRUNTIME ref: 00EA064E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6ad60c8405859170d7bf2f032f6da8fe74f61b845d521b143eaf4201f03f6c09
Instruction ID: 607f98472032dfb2156f945ae8a67845d28fb4608194800e8a3f99aacd6fdc5f
Opcode Fuzzy Hash: 6ad60c8405859170d7bf2f032f6da8fe74f61b845d521b143eaf4201f03f6c09
Instruction Fuzzy Hash: 04812B75A00109EFCB04DF94C984EEEB7B9FF89315F205598E516BB250DB71AE06CB60

Function 00ECA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00ECA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00ECA6BA

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Process32NextW.KERNEL32(00000000,?), ref: 00ECA79C
CloseHandle.KERNEL32(00000000), ref: 00ECA7AB

Part of subcall function 00E5CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00E83303,?), ref: 00E5CE8A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 86689b44a962f8330796e0dbfe5574bf197d1120d9ceb25920ee88e861701031
Instruction ID: 78e3bbbdce3cd18381c443bedbadbf74291c25bc87c9c8e9f877c29257eb3706
Opcode Fuzzy Hash: 86689b44a962f8330796e0dbfe5574bf197d1120d9ceb25920ee88e861701031
Instruction Fuzzy Hash: A3517B71508300AFD314EF24D886E6BBBE8FF89754F04592DF985A7262EB31D905CB92

Function 00E81391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E814C0

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 85896201c91039d0d0f52af985ec081b97ca23c3975ca1331502f9d29c74eee6
Instruction ID: de2fa5699bfb5755bf77ee8ebc0ca8684a9e7ad43b59588ff4186fbffbd94090
Opcode Fuzzy Hash: 85896201c91039d0d0f52af985ec081b97ca23c3975ca1331502f9d29c74eee6
Instruction Fuzzy Hash: D0417D31A40100ABDB217BF9AC45ABE3BEDEF41370F1462A5F43DF21A2E67448435761

Function 00ED6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00ED62E2
ScreenToClient.USER32(?,?), ref: 00ED6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00ED6382

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 382727c7f606b1008a10cc2e06a4488cd145ffd47ede7cd67c5dce5d8272cf01
Instruction ID: ed7ef3c5350704fc06c7ea2251643edd84dd879ed7332e0fd8dcc9c7024f4c13
Opcode Fuzzy Hash: 382727c7f606b1008a10cc2e06a4488cd145ffd47ede7cd67c5dce5d8272cf01
Instruction Fuzzy Hash: CA512D74900209AFDF10DF68D8809AE7BB5FF95364F10925AF925AB3A0D730ED42CB50

Function 00EC1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00EC1AFD
WSAGetLastError.WSOCK32 ref: 00EC1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EC1B8A
WSAGetLastError.WSOCK32 ref: 00EC1B94

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 702cfca242b2c6ae904dc5a423722bfbaaadb3063ae6baffdc00742f6ffb2d3e
Instruction ID: 1fe8fc04447f65f023f47a2b621ba7f3df72558c73d5263e8aad39c98f371ca5
Opcode Fuzzy Hash: 702cfca242b2c6ae904dc5a423722bfbaaadb3063ae6baffdc00742f6ffb2d3e
Instruction Fuzzy Hash: 8541BB34600201AFE720AF24D986F2A77E5AB45718F54948CF91AAF3D3D772ED42CB90

Function 00E7B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582d45ad4665ed6982358232c169e71aa2043f081a02704233f3a2654b6e29b7
Instruction ID: d212b9d13aec51cd84143a55c4d9b9f749769f82c00eea0fec61e5c7740e6829
Opcode Fuzzy Hash: 582d45ad4665ed6982358232c169e71aa2043f081a02704233f3a2654b6e29b7
Instruction Fuzzy Hash: 1E411971A40304BFD724AF38CC41BAABBF9EB84710F10966EF559FB292E77199018780

Function 00EB56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EB5783
GetLastError.KERNEL32(?,00000000), ref: 00EB57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EB57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EB57FA

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d8d6f4d8bf67a143e7af84ecebad089c2b239768744b9c3f4279e3ebe5fbe2e9
Instruction ID: 7156527d8f8483fffd3aa34361b6db0c9faddfe2220cd259f7797a312e4e388a
Opcode Fuzzy Hash: d8d6f4d8bf67a143e7af84ecebad089c2b239768744b9c3f4279e3ebe5fbe2e9
Instruction Fuzzy Hash: ED413D35600A11DFCB11DF15D544A5EBBE2EF89324B189899E84ABF362CB35FD00CB91

Function 00E7D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E682D9,?,00E682D9,?,00000001,?,?,00000001,00E682D9,00E682D9), ref: 00E7D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E7D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E7D9AB
__freea.LIBCMT ref: 00E7D9B4

Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4ab87cb1ce22cc9815c6659eb1810d135b5c4db2824c9b8f52377f934d68c7a3
Instruction ID: 56004ef0c587fecd4889223df945accdaf90b145b656466b97644e3c1a3fe1a2
Opcode Fuzzy Hash: 4ab87cb1ce22cc9815c6659eb1810d135b5c4db2824c9b8f52377f934d68c7a3
Instruction Fuzzy Hash: 1131CE72A0021AABDB249F65DC41EAE7BB5EF80354B158268FD08E6290EB75CD54CB90

Function 00ED52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00ED5352
GetWindowLongW.USER32(?,000000F0), ref: 00ED5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ED5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00ED53A8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e35aa7cc9964b49eba6a279ab20ceaf9a4aa3f6564a8cf0f2bca075f1aa392f8
Instruction ID: edafc73a8898fc41d4c36f75bb6b03d195d0f78203ce7753ff2d0f128057fa27
Opcode Fuzzy Hash: e35aa7cc9964b49eba6a279ab20ceaf9a4aa3f6564a8cf0f2bca075f1aa392f8
Instruction Fuzzy Hash: 4831E232A55A0CEFEB309B14CC05BE837A1EB043D4F586103FA10B63E5C7B09942EB42

Function 00EAAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00EAABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00EAAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00EAAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00EAACC6

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1323fb4234f62e0304ee0faeba8131fe29241d5bb670ae705dba50671935e9bc
Instruction ID: e287bfbce0c2ed0d5928478b1d60e17c1517b2d8a23b6245b8a6ae21e6b5696b
Opcode Fuzzy Hash: 1323fb4234f62e0304ee0faeba8131fe29241d5bb670ae705dba50671935e9bc
Instruction Fuzzy Hash: 4C311A309007186FFF35CB6598047FAFBA5AB4E334F0C622AE4817A1D1C375A945C752

Function 00ED7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00ED769A
GetWindowRect.USER32(?,?), ref: 00ED7710
PtInRect.USER32(?,?,00ED8B89), ref: 00ED7720
MessageBeep.USER32(00000000), ref: 00ED778C

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3d6e2265923eb9ddd7ff3d51c2789966ed10b708f9c961ccef6ba08834ae0aff
Instruction ID: e81973d2f1e9507e7b34afca13f96bdd1bd6d0e542645d7a52cfb8cd97e1db55
Opcode Fuzzy Hash: 3d6e2265923eb9ddd7ff3d51c2789966ed10b708f9c961ccef6ba08834ae0aff
Instruction Fuzzy Hash: D241BC34A092189FCB01CF58C884EA977F0FB48315F5594ABE9A4AB360E330E942CB90

Function 00ED16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00ED16EB

Part of subcall function 00EA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA3A57
Part of subcall function 00EA3A3D: GetCurrentThreadId.KERNEL32 ref: 00EA3A5E
Part of subcall function 00EA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EA25B3), ref: 00EA3A65

GetCaretPos.USER32(?), ref: 00ED16FF
ClientToScreen.USER32(00000000,?), ref: 00ED174C
GetForegroundWindow.USER32 ref: 00ED1752

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6479599717cdd6e7652347ad5002ac7c6c161caf00bd3813cdd4ee039debcf75
Instruction ID: e5be881473e7a8da7a368949b1abb3619993eab547a32e1b090482835c5ca21d
Opcode Fuzzy Hash: 6479599717cdd6e7652347ad5002ac7c6c161caf00bd3813cdd4ee039debcf75
Instruction Fuzzy Hash: BB316F75E01249AFC700EFAAD881CAEBBF9EF49304B5490AAE415F7211D731DE45CBA0

Function 00EADF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625

_wcslen.LIBCMT ref: 00EADFCB
_wcslen.LIBCMT ref: 00EADFE2
_wcslen.LIBCMT ref: 00EAE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00EAE018

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 824f1e032ad4f1ccb54bd2e97706bfe2d9a6643c85b88e4044ff88f7f438edca
Instruction ID: 309cfe37bdb2fc1be55667637d06bdd66c96b88143c0ab8e8ebe6b5a7ce06542
Opcode Fuzzy Hash: 824f1e032ad4f1ccb54bd2e97706bfe2d9a6643c85b88e4044ff88f7f438edca
Instruction Fuzzy Hash: 7D21D675940214AFCB10DF64D981B6E77F8EF8A750F105065E905BF385D670AE40CBA1

Function 00ED8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

GetCursorPos.USER32(?), ref: 00ED9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E97711,?,?,?,?,?), ref: 00ED9016
GetCursorPos.USER32(?), ref: 00ED905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E97711,?,?,?), ref: 00ED9094

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a248a83aac3353cd1fb5ab84f60589c43b972494792f128f6b922658c084b367
Instruction ID: 3ed1458825d1c45a46395cb4f9a43aee0cdd0a93b4e0801ffb99ebc8d2ca23de
Opcode Fuzzy Hash: a248a83aac3353cd1fb5ab84f60589c43b972494792f128f6b922658c084b367
Instruction Fuzzy Hash: 6121D331600018EFDB259F94EC58EFA3BB9FF49350F148156F905AB2A2C3759991EB60

Function 00EAD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00EDCB68), ref: 00EAD2FB
GetLastError.KERNEL32 ref: 00EAD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EAD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00EDCB68), ref: 00EAD376

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: ca7529efec5dd0261dfa50066d84bd69d1e7e49cb8db56b13543c2e1e2ea7c48
Instruction ID: 40d173e5158b41f47e16d46e50bc7579a6a149a65010d48e801b62e65f79e2b1
Opcode Fuzzy Hash: ca7529efec5dd0261dfa50066d84bd69d1e7e49cb8db56b13543c2e1e2ea7c48
Instruction Fuzzy Hash: 802194705097019F8700DF28D8814AE77E4EF5A358F205A1EF496EB2A1D730E94ACB93

Function 00EA1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EA102A
Part of subcall function 00EA1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1036
Part of subcall function 00EA1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1045
Part of subcall function 00EA1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA104C
Part of subcall function 00EA1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EA15BE
_memcmp.LIBVCRUNTIME ref: 00EA15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA1617
HeapFree.KERNEL32(00000000), ref: 00EA161E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: dba0d55ccba0aaa211415d03495aa3ee3d0f557ea974e5f158b0ca3f21f72511
Instruction ID: a8581ba0c74e7e47cedb82923b4e3e9bff9cbd6b5fe0a3ad20cdd7a3b2490f82
Opcode Fuzzy Hash: dba0d55ccba0aaa211415d03495aa3ee3d0f557ea974e5f158b0ca3f21f72511
Instruction Fuzzy Hash: 15218931E41109EFDF00DFA4C945BEEB7B8EF89348F184499E441BB241E730AA49CBA0

Function 00ED2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00ED280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ED2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ED2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00ED2840

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ae162d81b9f4008645f6d9b354e739eb8616e96fe51040b5a2953b96c694cc81
Instruction ID: fc424cb0a44a6c89ea2019a5e362aa31ad4059bb799d4213c33426f16b4ba5b8
Opcode Fuzzy Hash: ae162d81b9f4008645f6d9b354e739eb8616e96fe51040b5a2953b96c694cc81
Instruction Fuzzy Hash: D6213335205111AFD7149B24D840FAA7B9AEF95324F24924EF526AB3E2C771FC43C790

Function 00EA78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00EA790A,?,000000FF,?,00EA8754,00000000,?,0000001C,?,?), ref: 00EA8D8C
Part of subcall function 00EA8D7D: lstrcpyW.KERNEL32(00000000,?,?,00EA790A,?,000000FF,?,00EA8754,00000000,?,0000001C,?,?,00000000), ref: 00EA8DB2
Part of subcall function 00EA8D7D: lstrcmpiW.KERNEL32(00000000,?,00EA790A,?,000000FF,?,00EA8754,00000000,?,0000001C,?,?), ref: 00EA8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00EA8754,00000000,?,0000001C,?,?,00000000), ref: 00EA7923
lstrcpyW.KERNEL32(00000000,?,?,00EA8754,00000000,?,0000001C,?,?,00000000), ref: 00EA7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00EA8754,00000000,?,0000001C,?,?,00000000), ref: 00EA7984

Strings

cdecl, xrefs: 00EA797B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 355d13bb816c93365b8b1353c28f9c4c0e8d75e48ada741104ade2dccb7b798a
Instruction ID: 279e2aa856d7fc945494959a697949fcb21b8fe905f86b0adcddd466422e6562
Opcode Fuzzy Hash: 355d13bb816c93365b8b1353c28f9c4c0e8d75e48ada741104ade2dccb7b798a
Instruction Fuzzy Hash: 4411E43A201202AFCB159F35DC45D7B77E9EF8A394B10502BE982DB2A4EB31A811C791

Function 00ED7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00ED7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00ED7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00ED7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EBB7AD,00000000), ref: 00ED7D6B

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: fcec1a5cf94dc6aba393990bb998d406c70fdcdb94a8bc9531f58cfa9a425a39
Instruction ID: 1437cfb19b1f96d7c790d72fe1d0ca409bed70d4da367617cf6ea2e54d6ed17d
Opcode Fuzzy Hash: fcec1a5cf94dc6aba393990bb998d406c70fdcdb94a8bc9531f58cfa9a425a39
Instruction Fuzzy Hash: 2111D5312056159FCB108F28DC04AA63BA5FF463B4B219726F975E72F0E730C952DB40

Function 00ED5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00ED56BB
_wcslen.LIBCMT ref: 00ED56CD
_wcslen.LIBCMT ref: 00ED56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00ED5816

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7d9cb05c3cb832c347efa68f8263423dd266ba43598b0bf44f5b77cf597a5089
Instruction ID: b7acd16da99bc6ebd977b3b96b9d3852be27e150291961c4a55df286e678c647
Opcode Fuzzy Hash: 7d9cb05c3cb832c347efa68f8263423dd266ba43598b0bf44f5b77cf597a5089
Instruction Fuzzy Hash: 98110A7264060996DB209F65DC81AFE37ACEF50764B10502BF926F6281E770C985CF61

Function 00E71D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4b60aca295274b0f20e32a54a1132853ddc56bae205e9db53e2e20dae06651
Instruction ID: 3470e3ee83f7b92b20a3af82d048777424f0e8323e579ae71857ff4bbe8dc0a8
Opcode Fuzzy Hash: 2a4b60aca295274b0f20e32a54a1132853ddc56bae205e9db53e2e20dae06651
Instruction Fuzzy Hash: F4017CB220A7163EFA2116787CC1F67666CDF813B9B35A36AF629B11D2DB608C405560

Function 00EA1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EA1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EA1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EA1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EA1A8A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 082d04152f05058cb34b8f7a4c2966d6dafd307dae1e73aa78a88413f6c0e4c4
Instruction ID: b1e8497cad4f14307a88400e4cdeb98964e23569a3f1dc9017fc982d8b87b13b
Opcode Fuzzy Hash: 082d04152f05058cb34b8f7a4c2966d6dafd307dae1e73aa78a88413f6c0e4c4
Instruction Fuzzy Hash: 54110C3AD01219FFEB11DBA5CD85FADBB78EB09754F200091E604B7290D6716E50DB94

Function 00EAE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EAE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00EAE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EAE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EAE24D

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: daab476b080271b19e84f4b78fb21165fb82e7e694a57adb30fb0f96f2c8aea7
Instruction ID: cc0bad06e8bedfe9b91f018a894be50991c3ab03f2c24aa2224c502481f8a2e0
Opcode Fuzzy Hash: daab476b080271b19e84f4b78fb21165fb82e7e694a57adb30fb0f96f2c8aea7
Instruction Fuzzy Hash: 26110872905259BFC7019BA8AC09BDE7FACEB46354F108256F924F7391D270DD0487B0

Function 00E6D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00E6CFF9,00000000,00000004,00000000), ref: 00E6D218
GetLastError.KERNEL32 ref: 00E6D224
__dosmaperr.LIBCMT ref: 00E6D22B
ResumeThread.KERNEL32(00000000), ref: 00E6D249

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b9713357dc2122f9a249756cdb567051a06fc89f159c10703d9309f5ddfc67f6
Instruction ID: 25677885a85a2323275547d7ea8a58aa67dfd9b2f949a518af8ae0217eabd9e0
Opcode Fuzzy Hash: b9713357dc2122f9a249756cdb567051a06fc89f159c10703d9309f5ddfc67f6
Instruction Fuzzy Hash: FF012636E8A204BBC7115BA5FC05BAA3BA9DF813B0F205219F924B20E0CB70C901C6A0

Function 00ED9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

GetClientRect.USER32(?,?), ref: 00ED9F31
GetCursorPos.USER32(?), ref: 00ED9F3B
ScreenToClient.USER32(?,?), ref: 00ED9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00ED9F7A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: bdc6bf76ea329cb2da865d4b716a45cdc72751a094e0c3220cefbb3ef0f27072
Instruction ID: a48fee5e1c303a6a5359a039c8c41a2a859e4040ad9dea50d7123bdd230e39c4
Opcode Fuzzy Hash: bdc6bf76ea329cb2da865d4b716a45cdc72751a094e0c3220cefbb3ef0f27072
Instruction Fuzzy Hash: 96112532A0011AABDB109F69DC499FE77B9FB05311F500552F911F7242D330AA86CBA1

Function 00E4600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E4604C
GetStockObject.GDI32(00000011), ref: 00E46060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4606A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b5783e0ad905217875550319bbf3773a7ea60fdde8e1b1d815613e0f9b47a3e3
Instruction ID: 26ec6ad9f68e3d952e3173739283a7e85fe79b4d4a87dcdc620ab66ff31fcb3e
Opcode Fuzzy Hash: b5783e0ad905217875550319bbf3773a7ea60fdde8e1b1d815613e0f9b47a3e3
Instruction Fuzzy Hash: 7711C4B2502509BFEF224FA4EC44EEABB6DFF09395F101202FA1466010C732DC60DB91

Function 00E63B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00E63B56

Part of subcall function 00E63AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00E63AD2
Part of subcall function 00E63AA3: ___AdjustPointer.LIBCMT ref: 00E63AED

_UnwindNestedFrames.LIBCMT ref: 00E63B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00E63B7C
CallCatchBlock.LIBVCRUNTIME ref: 00E63BA4

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: bcc0ba2ee1b9262ccddc979006d1de299d4340fdda2b3b72e4581ab4c3b30731
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 88018C72140149BBDF125EA5EC42EEB3FADEF58798F045004FE4866121C732E961EBA0

Function 00E73073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E413C6,00000000,00000000,?,00E7301A,00E413C6,00000000,00000000,00000000,?,00E7328B,00000006,FlsSetValue), ref: 00E730A5
GetLastError.KERNEL32(?,00E7301A,00E413C6,00000000,00000000,00000000,?,00E7328B,00000006,FlsSetValue,00EE2290,FlsSetValue,00000000,00000364,?,00E72E46), ref: 00E730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E7301A,00E413C6,00000000,00000000,00000000,?,00E7328B,00000006,FlsSetValue,00EE2290,FlsSetValue,00000000), ref: 00E730BF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 492e43957e03f317f6591a1216bf2ead11818b31cdd5c8966ef342e7ca15e91c
Instruction ID: 4ed08233c0a1dd1baa08a69a5f79447377f5317844673ada44cd45e898e277f6
Opcode Fuzzy Hash: 492e43957e03f317f6591a1216bf2ead11818b31cdd5c8966ef342e7ca15e91c
Instruction Fuzzy Hash: A5014732342223AFCB704B79AC44A977B98EF05BA1B208321F909F3180CB21C945D6E0

Function 00EA7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00EA747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EA7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EA74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EA74CA

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 73cbb7f5b7c73d900c3724f7ff855f85503c0259e9532d6da9eee2723a46f5e2
Instruction ID: f7a3ad06131a26305a65de4f042a9f83841bd3fab32c458103c6da9a377d1b83
Opcode Fuzzy Hash: 73cbb7f5b7c73d900c3724f7ff855f85503c0259e9532d6da9eee2723a46f5e2
Instruction Fuzzy Hash: 6B11A1B12063119FE720CF14ED08BD27FFCEB09B44F10856AA6A6EA151D770F908DB50

Function 00EAB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EAACD3,?,00008000), ref: 00EAB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EAACD3,?,00008000), ref: 00EAB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EAACD3,?,00008000), ref: 00EAB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EAACD3,?,00008000), ref: 00EAB126

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: db4eac699b7c557d7d5379b3c93bcba3455a4bcbd9dbe1a281a4817f4fc5f85d
Instruction ID: 333d21db13c06685dd44166d9491f9d835b7f99c6eab77e5ba312c8bdac7f1fb
Opcode Fuzzy Hash: db4eac699b7c557d7d5379b3c93bcba3455a4bcbd9dbe1a281a4817f4fc5f85d
Instruction Fuzzy Hash: 20118B30C0252DEBCF04AFE5E9A86EEBB78FF1E311F105096D981B6282CB306650CB51

Function 00ED7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00ED7E33
ScreenToClient.USER32(?,?), ref: 00ED7E4B
ScreenToClient.USER32(?,?), ref: 00ED7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ED7E8A

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1702e718e75c46a069e4fce8d4563cabe30adec5993ef539593f2cb79f4de887
Instruction ID: 4f4c9e6618d67cdc6253bda1589157e603c62c4f9adf12a4ed51cd926888d231
Opcode Fuzzy Hash: 1702e718e75c46a069e4fce8d4563cabe30adec5993ef539593f2cb79f4de887
Instruction Fuzzy Hash: 331156B9D0020AAFDB41CFA9D884AEEBBF5FF08350F505166E915E3210D735AA55CF50

Function 00EA2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EA2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA2DD6
GetCurrentThreadId.KERNEL32 ref: 00EA2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EA2DE4

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 827055fed8b2548c5a5bb4220fa5203504b6e50d5d3464af7464e30e83e3556c
Instruction ID: 81001c7a6a29458d410d2c183386fd63c018ddbca9a45d26b4b5b471622a070f
Opcode Fuzzy Hash: 827055fed8b2548c5a5bb4220fa5203504b6e50d5d3464af7464e30e83e3556c
Instruction Fuzzy Hash: F9E06D711022257BDB201B67AC0DEEB3F6CEF47FA1F10101AB606F90819AA4D884C6B0

Function 00ED8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E59639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E59693
Part of subcall function 00E59639: SelectObject.GDI32(?,00000000), ref: 00E596A2
Part of subcall function 00E59639: BeginPath.GDI32(?), ref: 00E596B9
Part of subcall function 00E59639: SelectObject.GDI32(?,00000000), ref: 00E596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00ED8887
LineTo.GDI32(?,?,?), ref: 00ED8894
EndPath.GDI32(?), ref: 00ED88A4
StrokePath.GDI32(?), ref: 00ED88B2

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3d0c14fd00eb59fc1fff8cdb5bcbc90c7f6c9e2ae5db48f7d6bae67647f96211
Instruction ID: 135e4c0c619938c97b6be694ba8098f23fb721e73ff772a6e48790f53c55cf30
Opcode Fuzzy Hash: 3d0c14fd00eb59fc1fff8cdb5bcbc90c7f6c9e2ae5db48f7d6bae67647f96211
Instruction Fuzzy Hash: 1CF09A36002259FADB121F95AC09FCE3B69AF06310F508002FA11710E2C7B51515DBE5

Function 00E598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E598CC
SetTextColor.GDI32(?,?), ref: 00E598D6
SetBkMode.GDI32(?,00000001), ref: 00E598E9
GetStockObject.GDI32(00000005), ref: 00E598F1

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b9b6f4387e5de3d0ff1cfc0aefef34a35ffebd8f815b4059762c6b01ff9f77ae
Instruction ID: d2ec47e0fc8a638f9833a677932d183443f589799a7b41c3affb7d25300d2a30
Opcode Fuzzy Hash: b9b6f4387e5de3d0ff1cfc0aefef34a35ffebd8f815b4059762c6b01ff9f77ae
Instruction Fuzzy Hash: F8E06531245251AEDF215B75BC09BD83F21EB11376F14821AF6F9640E1C3714648DB10

Function 00EA162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EA1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EA11D9), ref: 00EA163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EA11D9), ref: 00EA1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EA11D9), ref: 00EA164F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 024cfddb878e58993d49d6bc6d1b636aa0ab3c93b2e1259137531a040df79714
Instruction ID: a0776455a6acb6ca12f7a12047889efb78c4d13742cfebd2696ccd48d49421bd
Opcode Fuzzy Hash: 024cfddb878e58993d49d6bc6d1b636aa0ab3c93b2e1259137531a040df79714
Instruction Fuzzy Hash: 4CE04F316022129FD7201BA2AE0DB463B68EF457E5F244849F245E9090E6245449C750

Function 00E9D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E9D858
GetDC.USER32(00000000), ref: 00E9D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E9D882
ReleaseDC.USER32(?), ref: 00E9D8A3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0ba61739e30bf54ddca0fd94e7f75f8560201a895a6ea3eb94bbaaadebc57e12
Instruction ID: ba4352ae397a10076e9d6489bbf4645241e754a13a9961ca606127c2e1bf5a3b
Opcode Fuzzy Hash: 0ba61739e30bf54ddca0fd94e7f75f8560201a895a6ea3eb94bbaaadebc57e12
Instruction Fuzzy Hash: 26E01AB0805206DFCF519FA1EC0866DBBF2FB08751F28A40AE816F7250C738890AEF40

Function 00E9D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E9D86C
GetDC.USER32(00000000), ref: 00E9D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E9D882
ReleaseDC.USER32(?), ref: 00E9D8A3

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 30260d566edd4a357adb12f796ef747985aa59350e96cf38c2f9f74232d18c27
Instruction ID: b75b238e1c4f6b84fc62bbbfc64e731d555d32cb06f5444c90130940517ea50b
Opcode Fuzzy Hash: 30260d566edd4a357adb12f796ef747985aa59350e96cf38c2f9f74232d18c27
Instruction Fuzzy Hash: 58E01A70801201DFCB509FA1E80866DBBF1FB08751B28940AE816F7250C738990ADF40

Function 00EB4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EB4ED4

Strings

LPT, xrefs: 00EB4DFB
*, xrefs: 00EB4E10

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: a65b79be135a615da97c76e8b8430cd9da335fd9c41bf773d2a3d30ab4d4d514
Instruction ID: cfd71b008700ca13c39de1f7ec06447231271cfcd75a61f94c1e6ed5c412b3f2
Opcode Fuzzy Hash: a65b79be135a615da97c76e8b8430cd9da335fd9c41bf773d2a3d30ab4d4d514
Instruction Fuzzy Hash: F69142B5A002149FCB14DF54C484EEABBF5BF44308F19A099E84AAF3A2D735ED45CB91

Function 00E6E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E6E30D

Strings

pow, xrefs: 00E6E2E5, 00E6E302

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 0e9a6a809e343a3e576b98a7430d99e2fc954301ad1a78fe3f0644f21c9dbb12
Instruction ID: f9bb4e9889ae3215ea856af48b9e51222afadd59f3abe0f9cefab0bd3f86cf17
Opcode Fuzzy Hash: 0e9a6a809e343a3e576b98a7430d99e2fc954301ad1a78fe3f0644f21c9dbb12
Instruction Fuzzy Hash: F6518065A8C20696CB257B14D9413BA3BD8EB407C4F30F95CF0D9B63E9DF308C959A86

Function 00E5E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00E5E1B1

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 0c705a103237629ae7ba233f1e0e1fa303b508dfe717039fece017e0011277ec
Instruction ID: 0e346a94bc2b67c75d30021fad6849d385f60df6463aa7d8f3a7ec1488813c65
Opcode Fuzzy Hash: 0c705a103237629ae7ba233f1e0e1fa303b508dfe717039fece017e0011277ec
Instruction Fuzzy Hash: CC511F35904206DEDF18DFA8C0816FA7BA8EF15314F246856ED91BB390D6309E86CBA1

Function 00E5F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E5F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E5F2BB

Strings

@, xrefs: 00E5F2AF

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7316116f2896bb166389c4025699dd7109cf37f7fafd2711b49f87fe079c5a4b
Instruction ID: 7947a6dcedf0b2a909d11ce490598b4a3831c176922d1363f96648b27449fee2
Opcode Fuzzy Hash: 7316116f2896bb166389c4025699dd7109cf37f7fafd2711b49f87fe079c5a4b
Instruction Fuzzy Hash: C85156715097489BD320AF51EC86BABBBF8FF84300F91884DF1D9611A5EB318529CB67

Function 00EC5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00EC57E0
_wcslen.LIBCMT ref: 00EC57EC

Strings

CALLARGARRAY, xrefs: 00EC57E6, 00EC57EB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6a51a14cda3d83a9150e44fd0466cd1ea2ba03c0eeb27d516854c3c49b1bc853
Instruction ID: aa31f90762ecf853725af5829bd9ab4627bae54f905d97feefe91c543d45f42f
Opcode Fuzzy Hash: 6a51a14cda3d83a9150e44fd0466cd1ea2ba03c0eeb27d516854c3c49b1bc853
Instruction Fuzzy Hash: 75417F32A002059FCB18DFA8C982DAEBBF5EF59354B14606DF515B7251D731AD82CBA0

Function 00EBD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EBD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EBD13A

Strings

|, xrefs: 00EBD10B

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: ef46ab4ea963801ed14de2f674b7167030f31a1179d0624f9095edb15f572459
Instruction ID: 9e29d86a8b50da7e2d28df3774bd56f4ca26776f58f60cb4ed09fb040e8e1ecc
Opcode Fuzzy Hash: ef46ab4ea963801ed14de2f674b7167030f31a1179d0624f9095edb15f572459
Instruction Fuzzy Hash: A3311871D01219ABCF15EFA4DC85AEFBFB9FF09344F101019E815B6162EB31AA06DB61

Function 00ED356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00ED3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00ED365C

Strings

static, xrefs: 00ED35BC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9e7802871b33ec0bc1befc819462bcaab08d7a1f2cc490d1d3dc4776adc94521
Instruction ID: bd377ffa44ca0ae24d931270e5e5e9c1b6c95a989c953e7171f96a4c0e9f34b7
Opcode Fuzzy Hash: 9e7802871b33ec0bc1befc819462bcaab08d7a1f2cc490d1d3dc4776adc94521
Instruction Fuzzy Hash: AA319071110604AEDB20DF38DC41EFB73A9FF48764F10A61AF9A5A7280DA31ED82D761

Function 00ED4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00ED461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00ED4634

Strings

', xrefs: 00ED458E

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: eaab1231e63d7d4fba61b9f057d594300d7f5743eef435ae8789e7331dd9fe24
Instruction ID: 3acbf01f238a222087ab89312cbe3ce6d97a111fefc7a8f45f4aeb2453246b23
Opcode Fuzzy Hash: eaab1231e63d7d4fba61b9f057d594300d7f5743eef435ae8789e7331dd9fe24
Instruction Fuzzy Hash: 9D3136B4A0120A9FDF14CFA9D981BDABBB5FF19304F14506AE915AB381D770E942CF90

Function 00ED31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00ED327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00ED3287

Strings

Combobox, xrefs: 00ED3249

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 97df0d6d33b01a9c9c96153b6388d6b977e2a9ba987de7522c82473feacf9526
Instruction ID: bc2a86d4a7ce17867ffd0ce45cd9b9d21114241a04bf824fa4a1e5f3cf0fd0d3
Opcode Fuzzy Hash: 97df0d6d33b01a9c9c96153b6388d6b977e2a9ba987de7522c82473feacf9526
Instruction Fuzzy Hash: B611E6717002087FEF219E64DC80EBB375BEB54368F105126F514A73A0D631DD529761

Function 00ED3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E4600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E4604C
Part of subcall function 00E4600E: GetStockObject.GDI32(00000011), ref: 00E46060
Part of subcall function 00E4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4606A

GetWindowRect.USER32(00000000,?), ref: 00ED377A
GetSysColor.USER32(00000012), ref: 00ED3794

Strings

static, xrefs: 00ED3757

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 098288a9121bba36e2dc249e83ccfb15e470f3bda34828314007283d75e5178b
Instruction ID: c8cf64924c723a1720f81c760165d343c21dbfabb677c207a46dfe6e84a58cac
Opcode Fuzzy Hash: 098288a9121bba36e2dc249e83ccfb15e470f3bda34828314007283d75e5178b
Instruction Fuzzy Hash: 531156B261020AAFDF00DFB8DC46AEA7BF8FB08354F005926F955E2250E735E811DB60

Function 00EBCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EBCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EBCDA6

Strings

<local>, xrefs: 00EBCD66

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f8b5c3d5059409741ae00ba3c945bf57dc49b9b63236e1aca839881d5b9bee53
Instruction ID: 4598f9587df83011c28640f385effd09bb292665bd3175198b70fd09f73ec428
Opcode Fuzzy Hash: f8b5c3d5059409741ae00ba3c945bf57dc49b9b63236e1aca839881d5b9bee53
Instruction Fuzzy Hash: 2A11C6792096327AD7344B668C45EE7BE6CEF527A8F60522AB149A3080D7709845D6F0

Function 00ED3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00ED34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00ED34BA

Strings

edit, xrefs: 00ED348F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5f30f6050efc630e1cdc681154858fe26a1ffcbb6b964a13a26cfb9ed1d91c91
Instruction ID: b5d35a4dbbea7d50cf90bb37105df8ee202284ede228c9b4fb240279d340c708
Opcode Fuzzy Hash: 5f30f6050efc630e1cdc681154858fe26a1ffcbb6b964a13a26cfb9ed1d91c91
Instruction Fuzzy Hash: 19118F71100208AFEF214E74EC44AEB37AAEB05778F606326F971A32D0C779DC569752

Function 00EA6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

CharUpperBuffW.USER32(?,?,?), ref: 00EA6CB6
_wcslen.LIBCMT ref: 00EA6CC2

Strings

STOP, xrefs: 00EA6CBC, 00EA6CC1

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 02c6ea1d6a59916bbb2a9829f9f87cd0bf80edd5e9b8a908e00e5e5a7ac3b149
Instruction ID: 8d8e8ae0e85dd5e8c5b6a0d360f718f22fb76c80889b6d4294fe085614bd8705
Opcode Fuzzy Hash: 02c6ea1d6a59916bbb2a9829f9f87cd0bf80edd5e9b8a908e00e5e5a7ac3b149
Instruction Fuzzy Hash: B20108326005278BCB20AFBDDC809BF73F4EF6B7647151924E462BA195EA31E900C650

Function 00EA1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EA1D4C

Strings

ListBox, xrefs: 00EA1D16
ComboBox, xrefs: 00EA1CEB

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea33eddc187e917535488184a96e17666a7c04bac5d381ee2d1e9c9ad690ef51
Instruction ID: 9290958704025a967a23dd35ae0de3e910e8d13fcb24479d18c9d7117d3bbbe6
Opcode Fuzzy Hash: ea33eddc187e917535488184a96e17666a7c04bac5d381ee2d1e9c9ad690ef51
Instruction Fuzzy Hash: 2301DD75A411146BCB08EBA4DC55CFFB7A8EB4B750F141559F8327B2C2DA3069089661

Function 00EA1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EA1C46

Strings

ListBox, xrefs: 00EA1C10
ComboBox, xrefs: 00EA1BE5

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ec8faf27040514b6bb632098e07a93da6d445bf5f334e9b4df4034ea26cb5d01
Instruction ID: 5c2e13396629d93e2da47827307ef6c3bcd78d1d7a0c082cdde3d122b0ca2f4b
Opcode Fuzzy Hash: ec8faf27040514b6bb632098e07a93da6d445bf5f334e9b4df4034ea26cb5d01
Instruction Fuzzy Hash: C501FC75AC110466CB08E7A0DD51AFFF7E89B1A350F102015B4067B1C2EA20AE0CD6B2

Function 00EA1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EA1CC8

Strings

ListBox, xrefs: 00EA1C94
ComboBox, xrefs: 00EA1C69

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 30b671a2c9114b2a0fe6177ccfb1bb7ff11e1ce0b128efb3b10b5fb3a18a6aec
Instruction ID: e92989d0edaf5264cdcb1d7cdcba3caf58f19e7fe0bfe2a1950a78c280db5c09
Opcode Fuzzy Hash: 30b671a2c9114b2a0fe6177ccfb1bb7ff11e1ce0b128efb3b10b5fb3a18a6aec
Instruction Fuzzy Hash: 2B01DBB5A8111467CF08E7A4DE41AFFF7E89F1A750F142015B80177282EA60AF08D6B2

Function 00EA1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00EA1DD3

Strings

ListBox, xrefs: 00EA1DA0
ComboBox, xrefs: 00EA1D75

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 70f430e988bb80531f26d442ef09d7b0766cac8c09f4d1385e1268842e8dfb86
Instruction ID: 537a94fb0bf7134c2acb020c152d94b589ce99bdae6aa537d28ddabd01a32ccb
Opcode Fuzzy Hash: 70f430e988bb80531f26d442ef09d7b0766cac8c09f4d1385e1268842e8dfb86
Instruction Fuzzy Hash: E6F0A971E4121466D704F7A4DD51AFFB7A8AF0A750F142915B422772C2DA60A9089661

Function 00EC747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EC7493
_wcslen.LIBCMT ref: 00EC74B9

Strings

3, 3, 16, 1, xrefs: 00EC7483

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 03e3b5fb4c48b5f3f9cf5b25ad3bc8cdadcc595fe2a2c25878b18e8d38cf900e
Instruction ID: 50301d8d6cd767563261378fef792c9ca4ba072525ea2120f104ef47c695cc4c
Opcode Fuzzy Hash: 03e3b5fb4c48b5f3f9cf5b25ad3bc8cdadcc595fe2a2c25878b18e8d38cf900e
Instruction Fuzzy Hash: B4E023416847111093351275ADC1F7F56C9EFC5790710381FF5D1E1196D655CD9353A1

Function 00EA0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EA0B23

Strings

Error allocating memory., xrefs: 00EA0B1C
AutoIt, xrefs: 00EA0B17

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0ffe424098405411b73b78f547af6b07c8e789ef2fa1752a442e80e10fb681d6
Instruction ID: e02906922190620d2630f565ddb89958b4c7d4ea1802f2865b0aa297685611f9
Opcode Fuzzy Hash: 0ffe424098405411b73b78f547af6b07c8e789ef2fa1752a442e80e10fb681d6
Instruction Fuzzy Hash: FEE0D8312843092AD2143754BC03F897BC4CF05FA1F201427FB48795C38AD2645096AA

Function 00E60D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E5F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E60D71,?,?,?,00E4100A), ref: 00E5F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00E4100A), ref: 00E60D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E4100A), ref: 00E60D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E60D7F

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2354b399bc05fb1f5134adaf6967352b64075e8d8517b788689fb26b5d0b1675
Instruction ID: 2cf56bbf3dc93a1ba0754b34027d93944ff84448aceecd2361d7fa20997a3d2a
Opcode Fuzzy Hash: 2354b399bc05fb1f5134adaf6967352b64075e8d8517b788689fb26b5d0b1675
Instruction Fuzzy Hash: 48E06D702007118FD320DFB9F4043427BE4EB14795F009A2EE886E6765DBB0E448CB91

Function 00EB3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00EB302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00EB3044

Strings

aut, xrefs: 00EB3038

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 90d190593a44918596161014c23cc717ae715431e2aaa29c13d85cb138f084f0
Instruction ID: aae1dcb79f1b4d651246a440150005793c99785265ecbe46acd2a05e95d67987
Opcode Fuzzy Hash: 90d190593a44918596161014c23cc717ae715431e2aaa29c13d85cb138f084f0
Instruction Fuzzy Hash: 75D05B71501314AFDA20A795AC0DFC73B6CD704750F000252B655E20E1DAB4D544CAD0

Function 00E9D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E9D220

Strings

%.3d, xrefs: 00E9D22B
X64, xrefs: 00E9D2A8

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: edef71415f64599753d4925bd53ba4c4286924dd6b910c77c7402e7233677155
Instruction ID: f65e2e8403e43f9de52d53cee7b2df8aeb97dd0a3ce9ccac959c6d5a3cf928b7
Opcode Fuzzy Hash: edef71415f64599753d4925bd53ba4c4286924dd6b910c77c7402e7233677155
Instruction Fuzzy Hash: EBD06265C0D129E9CF9097D0DD459F9B3BCEB18341F60A852FD06B1090E624D54CA761

Function 00ED2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ED236C
PostMessageW.USER32(00000000), ref: 00ED2373

Part of subcall function 00EAE97B: Sleep.KERNEL32 ref: 00EAE9F3

Strings

Shell_TrayWnd, xrefs: 00ED2365

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8c604eb89821278880b7e3bb2d16ac5e445d952872d8e579169a0a261c4c9bfb
Instruction ID: fbc4acc27eb417b4e67923079191bb5cb28732ff265923e0af09d43453abc8f3
Opcode Fuzzy Hash: 8c604eb89821278880b7e3bb2d16ac5e445d952872d8e579169a0a261c4c9bfb
Instruction Fuzzy Hash: 90D0C9323823117AEA64A771AC0FFCA76589B45B50F1049167655FA1D0C9A0B805CA55

Function 00ED2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ED232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00ED233F

Part of subcall function 00EAE97B: Sleep.KERNEL32 ref: 00EAE9F3

Strings

Shell_TrayWnd, xrefs: 00ED2325

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fd3bf77bd4edecb9e8c696050d8e34d7aec3dd52350d801c42c5cf08ce024b43
Instruction ID: 8045392fc2e695a8890c6b59cccdb03a07225d4fcea5dd817d7eb4cdaa533834
Opcode Fuzzy Hash: fd3bf77bd4edecb9e8c696050d8e34d7aec3dd52350d801c42c5cf08ce024b43
Instruction Fuzzy Hash: D1D0A932381310BAEA64A331AC0FFCA7A489B00B00F1009027205BA1D0C9A0A804CA00

Function 00E7BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00E7BE93
GetLastError.KERNEL32 ref: 00E7BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E7BEFC

Memory Dump Source

Source File: 00000000.00000002.1821107354.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1821046462.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821222872.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821310760.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821357261.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e0c8f7bebfac49cffeef9b79875f85a7b546cb70c849af2b7f65ee0c626a372d
Instruction ID: ba0baa95fb0c4b1897bd14294864ef0be6c901c489c0665f19a40e3e03bce114
Opcode Fuzzy Hash: e0c8f7bebfac49cffeef9b79875f85a7b546cb70c849af2b7f65ee0c626a372d
Instruction Fuzzy Hash: A841F634701216AFCF258F65DC54BBA7BA4EF41B54F24A16AF95DBB2A1DB308C00DB50

Analysis Process: firefox.exePID: 7824, Parent PID: 7808COMMON

Executed Functions

Function 000000D6E1AF5B9E Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1872281009.000000D6E1AF1000.00000020.00000800.00020000.00000000.sdmp, Offset: 000000D6E1AF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_d6e1af1000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f247ad51d3a20a8412014821acf604df3ff07f0fc8f01dd25e19fdd5ae32812
Instruction ID: 624d569a870adf2afdb63c66d4a6280ea0bb8afff75a1a17d9cbfd68d64d5c42
Opcode Fuzzy Hash: 8f247ad51d3a20a8412014821acf604df3ff07f0fc8f01dd25e19fdd5ae32812
Instruction Fuzzy Hash: AC11CE70208B0C8FCF99EF6CC8C4B643BA0FB2F300F24428AD459CB286C2369845DB65

Analysis Process: firefox.exePID: 7452, Parent PID: 7824COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001D26A6FA0F7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001D26A6FA11C

Memory Dump Source

Source File: 00000010.00000002.3024530206.000001D26A6F7000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D26A6F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1d26a6f7000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: b14303c16cb77c5c28bee8217e105d7b6ef9ccbffddd80ad1b004e31a5da7a8e
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 58A3C131614B498BDB2DDF29DC857EA77E6FBA5304F04422EDD4BC7251DB30EA428A81

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1946226908.000001DC38A3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876749161.000001DC3A3C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1972967841.000001DC3FFE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2006180682.000001DC3FFE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995641462.000001DC3FFE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1907892372.000001DC3FFEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974357722.000001DC3FC8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845056266.000001DC3FC8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1907697807.000001DC402CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907892372.000001DC3FFEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974357722.000001DC3FC8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1972967841.000001DC3FFE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2006180682.000001DC3FFE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995641462.000001DC3FFE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2006263659.000001DC3FF69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907892372.000001DC3FF68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973312282.000001DC3FF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2006263659.000001DC3FF69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907892372.000001DC3FF68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973312282.000001DC3FF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1907892372.000001DC3FFEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974357722.000001DC3FC8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845056266.000001DC3FC8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1907697807.000001DC402CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907892372.000001DC3FFEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974357722.000001DC3FC8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1989163563.000001DC3F916000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3026057540.000001D26A903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1989163563.000001DC3F916000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3026057540.000001D26A903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1989163563.000001DC3F916000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003129464.000001DC39BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3026057540.000001D26A903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1902131284.000001DC436ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972967841.000001DC3FFE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2006180682.000001DC3FFE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2011004257.000001DC38EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1902131284.000001DC436ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990292744.000001DC436EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1914499332.000001DC3A1E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49849 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2a8e31d2-c61f-4da1-9ef7-265c5bccd399.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2a8e31d2-c61f-4da1-9ef7-265c5bccd399.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre