Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544421
MD5:	de264ba7680e76241175c16744682089
SHA1:	261ce9a5e94e01dd6b9b8b00112b95926317e2f7
SHA256:	3e8ebf0a9ae8d80c07751681b4da88bf36d9478b723b184c6d53c02a3bf24ee8
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DE264BA7680E76241175C16744682089)

taskkill.exe (PID: 7400 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7500 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7556 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7628 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7692 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7760 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7792 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7808 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8048 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16b0dd87-cb53-4d7f-b59c-68651654e598} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27144570910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7580 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4252 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4272 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fc749c5-51b2-47f8-8a6f-ee68df8536cf} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27154f56210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7736 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3068 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 4976 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83397ebb-96fd-4a7a-b706-8ac66586f8d4} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27155aa5710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7384	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_001FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001FEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001FED6A

Source: C:\Users\user\Desktop\file.exe

0_2_001FEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001EAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00219576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00219576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b12b794d-b
Source: file.exe, 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_68e3d2ac-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bdd22463-b
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0ed593dc-d

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F082D04BF7 NtQuerySystemInformation,		16_2_000001F082D04BF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F0831DAE72 NtQuerySystemInformation,		16_2_000001F0831DAE72

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001ED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001ED5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001E1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001EE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018BF40	0_2_0018BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F2046	0_2_001F2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00188060	0_2_00188060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E8298	0_2_001E8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BE4FF	0_2_001BE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B676B	0_2_001B676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00214873	0_2_00214873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001ACAA0	0_2_001ACAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018CAF0	0_2_0018CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019CC39	0_2_0019CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B6DD9	0_2_001B6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019B119	0_2_0019B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001891C0	0_2_001891C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A1394	0_2_001A1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A1706	0_2_001A1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A781B	0_2_001A781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00187920	0_2_00187920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019997D	0_2_0019997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A19B0	0_2_001A19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A7A4A	0_2_001A7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A1C77	0_2_001A1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A7CA7	0_2_001A7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0020BE44	0_2_0020BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B9EEE	0_2_001B9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A1F32	0_2_001A1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F082D04BF7	16_2_000001F082D04BF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F0831DAE72	16_2_000001F0831DAE72
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F0831DB59C	16_2_000001F0831DB59C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F0831DAEB2	16_2_000001F0831DAEB2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0019F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 001A0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001F37B5 GetLastError,FormatMessageW,

0_2_001F37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E10BF AdjustTokenPrivileges,CloseHandle,		0_2_001E10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001E16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001F51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001ED4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001ED4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001F648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001842A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1969077902.000002715EA1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003415259.00000271548A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1969077902.000002715EA1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1969077902.000002715EA1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1969077902.000002715EA1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.2003524942.000002715488F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1994223231.000002715488F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1969077902.000002715EA1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1969077902.000002715EA1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1969077902.000002715EA1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1969077902.000002715EA1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1969077902.000002715EA1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16b0dd87-cb53-4d7f-b59c-68651654e598} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27144570910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4252 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4272 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fc749c5-51b2-47f8-8a6f-ee68df8536cf} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27154f56210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3068 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 4976 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83397ebb-96fd-4a7a-b706-8ac66586f8d4} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27155aa5710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16b0dd87-cb53-4d7f-b59c-68651654e598} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27144570910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4252 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4272 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fc749c5-51b2-47f8-8a6f-ee68df8536cf} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27154f56210 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3068 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 4976 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83397ebb-96fd-4a7a-b706-8ac66586f8d4} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27155aa5710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1996227454.0000027158901000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1996227454.0000027158901000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001842DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A0A76 push ecx; ret

0_2_001A0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0019F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00211C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00211C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97054

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F082D04BF7 rdtsc

16_2_000001F082D04BF7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001EDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F68EE FindFirstFileW,FindClose,	0_2_001F68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001F698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001ED076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001ED3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001F9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001F979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001F9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001F5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001842DE

Source: firefox.exe, 0000000F.00000002.3019497774.00000252DB000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: firefox.exe, 0000000F.00000002.3014443703.00000252DAB8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: firefox.exe, 0000000F.00000002.3014443703.00000252DAB8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: firefox.exe, 00000010.00000002.3019058123.000001F083220000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUD
Source: firefox.exe, 00000010.00000002.3012830852.000001F0828CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@b"
Source: firefox.exe, 00000010.00000002.3019058123.000001F083220000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3017772482.00000276888E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3013850465.000002768857A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3018774541.00000252DAF19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3019058123.000001F083220000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrJ>e
Source: firefox.exe, 0000000F.00000002.3019497774.00000252DB000000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3019058123.000001F083220000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F082D04BF7 rdtsc

16_2_000001F082D04BF7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001FEAA2 BlockInput,

0_2_001FEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001B2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001842DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A4CE8 mov eax, dword ptr fs:[00000030h]

0_2_001A4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001E0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001B2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001A083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A09D5 SetUnhandledExceptionFilter,	0_2_001A09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001A0C21

Source: C:\Users\user\Desktop\file.exe

0_2_001E1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001C2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EB226 SendInput,keybd_event,

0_2_001EB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002022DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_001E0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001E1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A0698 cpuid

0_2_001A0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001F8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DD27A GetUserNameW,

0_2_001DD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_001BBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001842DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7384, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7384, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00201204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00201204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00201806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00201806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.1	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.185.238	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	216.58.206.78	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://youtube.comZ	firefox.exe, 0000000D.00000003.1954020624.00002C5177903000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 0000000D.00000003.1925320863.0000027151412000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000014.00000002.3014524913.00000276887C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.2003415259.00000271548A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1952035984.0000027155C62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915759808.0000027156B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908314700.0000027156B78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3015469353.00000252DADC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015133409.000001F082CE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3017977220.0000027688A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1898612871.000002715C347000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834497101.000002715C34D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000F.00000002.3015469353.00000252DAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015133409.000001F082C86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014524913.000002768878E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1993309234.0000027154E44000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1937953789.000002715C849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1983649961.000002715C852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971560617.000002715C851000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.2003415259.00000271548A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1938431488.000002715C4EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937134395.000002715CE96000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1951731033.0000027155C9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2002049440.0000027155C9A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1798654568.0000027154077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798529934.000002715405A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798400543.000002715403C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798276065.000002715401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797923073.0000027153E00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1952081424.0000027155ADE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1976273586.000002715C810000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1939656208.000002715C233000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1838757068.000002715549B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1843038205.000002715C98E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797923073.0000027153E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003415259.00000271548A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1977833518.0000027157640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941356983.000002715763F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1798654568.0000027154077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798529934.000002715405A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798400543.000002715403C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798276065.000002715401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797923073.0000027153E00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1838261817.0000027156742000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1992837259.0000027154FD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985988486.00000271567D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1838261817.00000271567D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948883479.00000271567D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998384557.0000027157BED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000146524.00000271567D7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1948883479.000002715672A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1993309234.0000027154E44000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3015469353.00000252DADC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015133409.000001F082CE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3017977220.0000027688A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://mozilla.org/0C	firefox.exe, 0000000D.00000003.1954126419.00002C3D79A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954020624.00002C5177903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954234054.00001807B8B03000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1936164468.000002715EA47000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1948883479.000002715672A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3015469353.00000252DADC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015133409.000001F082CE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3017977220.0000027688A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000D.00000003.1838757068.000002715549B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1948883479.000002715672A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015133409.000001F082C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014524913.000002768870C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1982901628.000002715C9B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937173961.000002715C9B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970399227.000002715C9B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842382430.000002715C9B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1937953789.000002715C849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1983649961.000002715C852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971560617.000002715C851000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1968654416.000002715EA47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936164468.000002715EA47000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000014.00000002.3014524913.00000276887C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1941356983.00000271576D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977462018.00000271576D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990892200.00000271554EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1927126444.0000027152627000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1847206660.00000271556D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1980920661.0000027156552000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995342203.0000027154313000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1988167179.0000027155CB0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.2003415259.00000271548A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015133409.000001F082C12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014524913.0000027688713000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1937953789.000002715C849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1983649961.000002715C852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971560617.000002715C851000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1939656208.000002715C233000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.2000146524.00000271567CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941356983.0000027157608000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929229818.0000027154004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1857064433.00000271559BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980703253.00000271565D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905988536.000002715537B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1978274480.0000027157608000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2002670251.0000027154FB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905331273.00000271559E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847206660.00000271556D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922246273.00000271556CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1858288206.00000271559E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1952035984.0000027155C62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939531883.000002715C274000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934093364.000002715403B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966783269.0000027154AFE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973700815.000002715816F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934873811.0000027152672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003820412.0000027154384000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933156304.000002715496E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1992837259.0000027154F53000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1977833518.0000027157640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941356983.000002715763F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000D.00000003.1843038205.000002715C993000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937173961.000002715C993000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1980206675.0000027157517000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977833518.0000027157640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948582191.000002715750F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941356983.000002715763F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972780895.000002715C2DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938923330.000002715C2DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1987520134.0000027156445000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939327196.000002715C2A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1838757068.000002715549B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1987520134.0000027156445000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939327196.000002715C2A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1838757068.000002715549B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1898612871.000002715C347000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834497101.000002715C34D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1983521011.000002715C85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971560617.000002715C85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937953789.000002715C85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839686862.0000027155F66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1838757068.000002715549B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1842382430.000002715C9B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1800609032.0000027152633000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1989629436.00000271555E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1976849434.00000271581CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939907804.00000271581B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973700815.00000271581B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1800609032.0000027152633000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1968654416.000002715EA47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936164468.000002715EA47000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3015469353.00000252DADC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015133409.000001F082CE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3017977220.0000027688A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1938431488.000002715C457000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972074501.000002715C4B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938431488.000002715C4B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1937953789.000002715C849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1983649961.000002715C852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971560617.000002715C851000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1992056105.000002715509E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3018272475.00000252DAE00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3018775017.000001F083190000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3017333441.0000027688800000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1797923073.0000027153E00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1843313045.00000271548F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798276065.000002715401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917052351.00000271558F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890763788.00000271558F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797923073.0000027153E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003415259.00000271548A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.185.238	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544421
Start date and time:	2024-10-29 12:03:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.11.191.138, 54.185.230.140, 35.160.212.113, 2.22.61.59, 2.22.61.56, 142.250.186.142, 172.217.18.10, 142.250.185.74, 172.217.18.14
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
07:04:21	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	51.62.105.248
	https://drive.google.com/file/d/17u2rFuD1QXpsDx5iT2qtwqYKrUIXQ7Kt/view?usp=sharing	Get hash	malicious	Unknown	Browse	48.209.180.244
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	33.135.32.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	48.179.107.146
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	ppc.elf	Get hash	malicious	Unknown	Browse	48.145.200.199
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	48.203.148.3
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	48.249.90.27
	arm5.elf	Get hash	malicious	Unknown	Browse	33.128.163.124
FASTLYUS	http://dcrealestateclasses.com/sirmy359ka/logfds65475mnvn/0Px7KgmP2ER6zsKKoRahD/ZGFuaWVscGxvdHRlbEBxdWFudGV4YS5jb20=	Get hash	malicious	Unknown	Browse	151.101.194.137
	Jo Smalley shared _Harbour Healthcare Ltd Project_ with you..eml	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	Jo Smalley shared _Harbour Healthcare Ltd Project_ with you..eml	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://drive.google.com/file/d/17u2rFuD1QXpsDx5iT2qtwqYKrUIXQ7Kt/view?usp=sharing	Get hash	malicious	Unknown	Browse	151.101.129.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://dvhpkbq.sharing.bublup.com/mybublup/#/mystuff/001-f-cb6f5ea2-07bf-4021-a767-4b4547f8c10b/mixed?lid=001-si-_s1J1-rGiVhh	Get hash	malicious	HTMLPhisher	Browse	151.101.194.109
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
ATGS-MMD-ASUS	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	51.62.105.248
	https://drive.google.com/file/d/17u2rFuD1QXpsDx5iT2qtwqYKrUIXQ7Kt/view?usp=sharing	Get hash	malicious	Unknown	Browse	48.209.180.244
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	33.135.32.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	48.179.107.146
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	ppc.elf	Get hash	malicious	Unknown	Browse	48.145.200.199
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	48.203.148.3
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	48.249.90.27
	arm5.elf	Get hash	malicious	Unknown	Browse	33.128.163.124

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ba87280e-40a1-4d94-8670-38d6a937a716.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182437857722125
Encrypted:	false
SSDEEP:	192:AjMXTVThTicbhbVbTbfbRbObtbyEl7nErWJA6WnSrDtTUd/SkDrh:AYjZ1icNhnzFSJkrVBnSrDhUd/H
MD5:	AC8104A348F7970C6423D4E2EE161AA2
SHA1:	D0E8885312A1F00E84AD1C2C448C8768ABE09AC9
SHA-256:	C9DBA7D457D6E874C26A5925FFF25DD17B26978BD5C753E28E1FE08ED4EEE53B
SHA-512:	724FA185CF97B6CC586C302D1CB207EDCB4B7F3ADD3D8E1CE0A8020177DA3DA165CF8B2E5F09601D90B112F2A481B10498A0A59E19FE352674D43FD78EF704EE
Malicious:	false
Preview:	{"type":"uninstall","id":"ba87280e-40a1-4d94-8670-38d6a937a716","creationDate":"2024-10-29T13:04:39.088Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ba87280e-40a1-4d94-8670-38d6a937a716.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182437857722125
Encrypted:	false
SSDEEP:	192:AjMXTVThTicbhbVbTbfbRbObtbyEl7nErWJA6WnSrDtTUd/SkDrh:AYjZ1icNhnzFSJkrVBnSrDhUd/H
MD5:	AC8104A348F7970C6423D4E2EE161AA2
SHA1:	D0E8885312A1F00E84AD1C2C448C8768ABE09AC9
SHA-256:	C9DBA7D457D6E874C26A5925FFF25DD17B26978BD5C753E28E1FE08ED4EEE53B
SHA-512:	724FA185CF97B6CC586C302D1CB207EDCB4B7F3ADD3D8E1CE0A8020177DA3DA165CF8B2E5F09601D90B112F2A481B10498A0A59E19FE352674D43FD78EF704EE
Malicious:	false
Preview:	{"type":"uninstall","id":"ba87280e-40a1-4d94-8670-38d6a937a716","creationDate":"2024-10-29T13:04:39.088Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927582465847703
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNr9T:8S+OfJQPUFpOdwNIOdYVjvYcXaNL8A8P
MD5:	541C1C211792D89ABB598C3E4F671D73
SHA1:	1D0405F16F9573D25A7BE87376A31B2035677A78
SHA-256:	0C535FD432DEF5A3DA229D4AE97D54588AFCC92F9C6BC09092001B7511E4A267
SHA-512:	8BBB0D65F576780386DBC6408D9A64FF2DBC204F85DFDE631D51894B5DAED21CACB5CD1D6AC42C4E3B3D241D9F4B0211F48A620143382913F2F2552B82015850
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927582465847703
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNr9T:8S+OfJQPUFpOdwNIOdYVjvYcXaNL8A8P
MD5:	541C1C211792D89ABB598C3E4F671D73
SHA1:	1D0405F16F9573D25A7BE87376A31B2035677A78
SHA-256:	0C535FD432DEF5A3DA229D4AE97D54588AFCC92F9C6BC09092001B7511E4A267
SHA-512:	8BBB0D65F576780386DBC6408D9A64FF2DBC204F85DFDE631D51894B5DAED21CACB5CD1D6AC42C4E3B3D241D9F4B0211F48A620143382913F2F2552B82015850
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07331823752770966
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	00F9B09D97FDA36BDF7DA67E832B3F95
SHA1:	423F9F2631126703B6D84C5CFB24DAD668203924
SHA-256:	1088E4C31C5CEE5C0C355FCCABEF6725B708BDD88914FB5E6840413D9578F936
SHA-512:	B30F37980971EE92D19784CC02FADC741F27D41632A2E8E2F6123CBC5DE5B4909852FE6AF6C632EFD9E182A0ECB32919ADA85E58B7ADBF91DDBB606CAE5C0291
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFH0HwwAZvYtlstFH0HwwAZF/lJ89//alEl:GtWtZZZvYtWtZZZFtJ89XuM
MD5:	58F61A0DE05E6018DC4A9AE321C77F96
SHA1:	8E3C0683ED6B7FC982D9FD3B6B2ABEB6E7B88942
SHA-256:	A3555DABDE44C84A303856BBD244D1D244648E2974048CE1B95C1E17BAC0589C
SHA-512:	7D1E31E0D5D3456E9F9E20BDB45D136A6A1A107D4A9314C5B73FABA5BEE6E5900FCC13F57AA1488895E03BB60216ACBF94EAC4CF991D30090BEA78D4EA933A06
Malicious:	false
Preview:	..-.......................iAb3P.D_.\..u.....S..{..-.......................iAb3P.D_.\..u.....S..{........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03981332616593857
Encrypted:	false
SSDEEP:	3:Ol10nJlCfh2MbKUv/X7l8rEXsxdwhml8XW3R2:KEuiql8dMhm93w
MD5:	EB4A6A52D7246A723131E4C242A3893E
SHA1:	6B56911ACED7E3CC9D703A13F4BE124F52A64163
SHA-256:	97B231B30398ACAFDAE7D691FDC9C4AFF55915D012115528B70D4B7DBC404E2A
SHA-512:	B9630CBDE0E3609414144C7C101AFCD826568E0F3CA287CCD439BBD6D92B3E7930A6E28289C0963608DD15405EB7AE57BDEBD4726F6F5312AC95D7DB2E5F413B
Malicious:	false
Preview:	7....-..........D_.\..u.2gbW.4Q.........D_.\..u.Ai...P3b................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494485012642875
Encrypted:	false
SSDEEP:	192:SnaRtLYbBp6ihj4qyaaXV6KU3NgFD5RfGNBw8dQSl:Xegq3rdgFcwX0
MD5:	4D4768565E073779DC1FAE1EFA6AB027
SHA1:	B231464FDACA576098D422B9ACB491A86F01CD1A
SHA-256:	200EE0A55EDFD2EF93E185457A1E8DF600CEC40A0402690F31582F0192E069B8
SHA-512:	2A9D7424EE734EB0E5623A4CB5DFB225F50202D6712F37875026A12E244D04A16FCE1A875D8961AC05B57AB8F8915464F78AFA81963494FF62A447D1466253DD
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730207049);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730207049);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730207049);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173020

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494485012642875
Encrypted:	false
SSDEEP:	192:SnaRtLYbBp6ihj4qyaaXV6KU3NgFD5RfGNBw8dQSl:Xegq3rdgFcwX0
MD5:	4D4768565E073779DC1FAE1EFA6AB027
SHA1:	B231464FDACA576098D422B9ACB491A86F01CD1A
SHA-256:	200EE0A55EDFD2EF93E185457A1E8DF600CEC40A0402690F31582F0192E069B8
SHA-512:	2A9D7424EE734EB0E5623A4CB5DFB225F50202D6712F37875026A12E244D04A16FCE1A875D8961AC05B57AB8F8915464F78AFA81963494FF62A447D1466253DD
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730207049);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730207049);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730207049);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173020

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	6.349103115763165
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSYLXnIg3/pnxQwRlszT5sKtUU3eHVQj6TOamhuS1JlOsIomNVr0aHX:GUpOxp5nR6+U3eHTOBJlIqd4
MD5:	BC3BD2394ABCC22B5779ADD1A6B6C151
SHA1:	B3C4C16BF53ECB4267D5C233514D610045DDB42E
SHA-256:	AB61FE4771BB0FC08BB81FB7CF675C613FD2F9FE3E378BB21D938151F0EB0EE4
SHA-512:	F9C4A6FC7719D46F85CA9F71EFF2A8A8B6A388CFA86A33385F522F3A26856ADD8E9F78F89A8B05E0FD0C5AAC2A8F8961AF6DD52B2B6B8EAF2FF8E2135BAA6E08
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{06c35af7-5541-4b44-960f-7dce4b4abc15}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730207054863,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P18894...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...27955,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	6.349103115763165
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSYLXnIg3/pnxQwRlszT5sKtUU3eHVQj6TOamhuS1JlOsIomNVr0aHX:GUpOxp5nR6+U3eHTOBJlIqd4
MD5:	BC3BD2394ABCC22B5779ADD1A6B6C151
SHA1:	B3C4C16BF53ECB4267D5C233514D610045DDB42E
SHA-256:	AB61FE4771BB0FC08BB81FB7CF675C613FD2F9FE3E378BB21D938151F0EB0EE4
SHA-512:	F9C4A6FC7719D46F85CA9F71EFF2A8A8B6A388CFA86A33385F522F3A26856ADD8E9F78F89A8B05E0FD0C5AAC2A8F8961AF6DD52B2B6B8EAF2FF8E2135BAA6E08
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{06c35af7-5541-4b44-960f-7dce4b4abc15}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730207054863,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P18894...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...27955,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	6.349103115763165
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSYLXnIg3/pnxQwRlszT5sKtUU3eHVQj6TOamhuS1JlOsIomNVr0aHX:GUpOxp5nR6+U3eHTOBJlIqd4
MD5:	BC3BD2394ABCC22B5779ADD1A6B6C151
SHA1:	B3C4C16BF53ECB4267D5C233514D610045DDB42E
SHA-256:	AB61FE4771BB0FC08BB81FB7CF675C613FD2F9FE3E378BB21D938151F0EB0EE4
SHA-512:	F9C4A6FC7719D46F85CA9F71EFF2A8A8B6A388CFA86A33385F522F3A26856ADD8E9F78F89A8B05E0FD0C5AAC2A8F8961AF6DD52B2B6B8EAF2FF8E2135BAA6E08
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{06c35af7-5541-4b44-960f-7dce4b4abc15}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730207054863,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P18894...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...27955,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033091363683172
Encrypted:	false
SSDEEP:	48:YrSAYA6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycAyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	9E56B5A2D081924E0B1905DCCFD31979
SHA1:	E407E0C560DF97C685A5094AA48E4E757D57AD89
SHA-256:	9EE7F00E3CF79153B82BA3D12CC9AAF1796F06CCFD99054B0F4BE1EDB543D33B
SHA-512:	F0D6B1BAC50214148B6C87B86580AE6F38D491EB8AD4B24C9FB2BE2608DAC75724D05441B2ECB5178CFC89A0373D0B355D98E5CE8E5657569E0794DF27EAE3DF
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T13:03:58.920Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033091363683172
Encrypted:	false
SSDEEP:	48:YrSAYA6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycAyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	9E56B5A2D081924E0B1905DCCFD31979
SHA1:	E407E0C560DF97C685A5094AA48E4E757D57AD89
SHA-256:	9EE7F00E3CF79153B82BA3D12CC9AAF1796F06CCFD99054B0F4BE1EDB543D33B
SHA-512:	F0D6B1BAC50214148B6C87B86580AE6F38D491EB8AD4B24C9FB2BE2608DAC75724D05441B2ECB5178CFC89A0373D0B355D98E5CE8E5657569E0794DF27EAE3DF
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T13:03:58.920Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584688980011825
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	de264ba7680e76241175c16744682089
SHA1:	261ce9a5e94e01dd6b9b8b00112b95926317e2f7
SHA256:	3e8ebf0a9ae8d80c07751681b4da88bf36d9478b723b184c6d53c02a3bf24ee8
SHA512:	49ba6d11e2cf575605d83319278a0337e19909cc8b2df337363a0ce8357315eef3804ad56065ae20b770a88868d3230facb7161baee4481cce562162810212cd
SSDEEP:	12288:sqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TB:sqDEvCTbMWu7rQYlBQcBiT6rprG8abB
TLSH:	83159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6720BF28 [Tue Oct 29 10:55:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC5D490F403h
jmp 00007FC5D490ED0Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC5D490EEEDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC5D490EEBAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC5D4911AADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC5D4911AF8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC5D4911AE1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	fbb93b3b2922dcc6ca8b1ebd52f346b8	False	0.3156398338607595	data	5.373876908347875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 12:04:15.642544985 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:15.642618895 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 12:04:15.647628069 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:15.652479887 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:15.652524948 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 12:04:16.295795918 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 12:04:16.297511101 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:16.306709051 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:16.306745052 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 12:04:16.306849003 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:16.306932926 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 12:04:16.307267904 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:17.732096910 CET	49738	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:17.732153893 CET	443	49738	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:17.732496977 CET	49738	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:17.733911037 CET	49738	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:17.733932018 CET	443	49738	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:17.823735952 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:17.824827909 CET	49740	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:17.824886084 CET	443	49740	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:17.829135895 CET	80	49739	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:17.830481052 CET	49740	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:17.830543995 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:17.834459066 CET	49740	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:17.834479094 CET	443	49740	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:17.834702015 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:17.840259075 CET	80	49739	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:17.985245943 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:17.985304117 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:17.987215996 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:17.988715887 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:17.988734961 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.028671026 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.028700113 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.029230118 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.030849934 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.030862093 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.048027992 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:18.048036098 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:18.050909042 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:18.051157951 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:18.051165104 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:18.426915884 CET	80	49739	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:18.469996929 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:18.542774916 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:18.542876005 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:18.542963028 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:18.543138027 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:18.543178082 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:18.613600969 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.616137028 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.621942997 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.621962070 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.622071028 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.622222900 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.622550011 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.622589111 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.624798059 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.624829054 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.626252890 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.626293898 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.632257938 CET	443	49738	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:18.632323027 CET	49738	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:18.632996082 CET	443	49738	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:18.633301020 CET	49738	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:18.636420965 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:18.637974977 CET	49738	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:18.637989998 CET	443	49738	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:18.638052940 CET	49738	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:18.638124943 CET	443	49738	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:18.638166904 CET	49738	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:18.641820908 CET	80	49747	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:18.642606974 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.644247055 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.644249916 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:18.646435976 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:18.651746988 CET	80	49747	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:18.653307915 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.653321028 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.653390884 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.653461933 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.653682947 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.653723955 CET	443	49748	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.653908014 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.653935909 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.655253887 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:18.655273914 CET	443	49748	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:18.659845114 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:18.659914970 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:18.739490986 CET	443	49740	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:18.739795923 CET	49740	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:18.740211010 CET	443	49740	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:18.740941048 CET	49740	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:18.765072107 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:18.765089989 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:18.765338898 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:18.769650936 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:18.769756079 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:18.769771099 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:18.770845890 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:18.770859003 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:18.772811890 CET	49740	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:18.772859097 CET	443	49740	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:18.772901058 CET	49740	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:18.773003101 CET	443	49740	142.250.185.238	192.168.2.4
Oct 29, 2024 12:04:18.777908087 CET	49740	443	192.168.2.4	142.250.185.238
Oct 29, 2024 12:04:18.840013981 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:18.845953941 CET	80	49739	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:18.846170902 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:18.933357954 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:18.938743114 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:18.941303015 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:18.941425085 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:18.946753979 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:19.152400017 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.152479887 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.155422926 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.155450106 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.155667067 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.157864094 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.157994986 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.158035040 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.158051968 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.158382893 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.158432961 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.158473015 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.158585072 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.158750057 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.158788919 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.252825975 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:19.252914906 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.253617048 CET	80	49747	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:19.255875111 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:19.259932995 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.259953022 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:19.259990931 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.260133028 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:19.260189056 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.262070894 CET	80	49747	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:19.262156963 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:19.277724981 CET	443	49748	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:19.277793884 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.282419920 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.282433033 CET	443	49748	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:19.282505035 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.282944918 CET	443	49748	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:19.282996893 CET	49748	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.420825005 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.420845032 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:19.426680088 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.428173065 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:19.428184986 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:19.528903008 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:19.587718010 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:19.796641111 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.803334951 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.810317039 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.813694000 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.813721895 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.813967943 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.815840960 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.815917015 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.815978050 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 12:04:19.816081047 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.816109896 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:19.816145897 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 12:04:20.054774046 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:20.055639029 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.060419083 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.060422897 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:20.060539007 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.060673952 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:20.060795069 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.060889959 CET	49753	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.060919046 CET	443	49753	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:20.061050892 CET	49753	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.062453985 CET	49753	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.062468052 CET	443	49753	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:20.098144054 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:20.103487015 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:20.105391979 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:20.107232094 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:20.113219976 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:20.675071955 CET	443	49753	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:20.675148010 CET	49753	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.682034016 CET	49753	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.682044029 CET	443	49753	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:20.682188988 CET	49753	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.682290077 CET	443	49753	34.117.188.166	192.168.2.4
Oct 29, 2024 12:04:20.682385921 CET	49753	443	192.168.2.4	34.117.188.166
Oct 29, 2024 12:04:20.735722065 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:20.789788961 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:22.967993021 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:22.973366022 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:23.091083050 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:23.106410980 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:23.111845016 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:23.139137983 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:23.184359074 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:23.184401035 CET	443	49756	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:23.184874058 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:23.186362028 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:23.186382055 CET	443	49756	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:23.238010883 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:23.291749001 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:23.796603918 CET	443	49756	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:23.796864986 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:23.801405907 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:23.801414013 CET	443	49756	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:23.801506996 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:23.801619053 CET	443	49756	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:23.801768064 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:27.486207008 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:27.486243010 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:27.486308098 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:27.487725973 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:27.487749100 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:28.100182056 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:28.100266933 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:29.668119907 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:29.670819044 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:29.670836926 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:29.670969963 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:29.671093941 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:29.672709942 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:29.673537016 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:29.791737080 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:29.841988087 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:30.115741968 CET	49763	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:30.115830898 CET	443	49763	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:30.116050005 CET	49763	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:30.117453098 CET	49763	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:30.117490053 CET	443	49763	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:30.124939919 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:30.130206108 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:30.174565077 CET	49764	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:30.174622059 CET	443	49764	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:30.175348997 CET	49764	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:30.175476074 CET	49764	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:30.175498962 CET	443	49764	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:30.259721994 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:30.271853924 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:30.271888971 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:30.272243977 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:30.273678064 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:30.273691893 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:30.312161922 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:30.716959000 CET	443	49763	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:30.717154980 CET	49763	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:30.721306086 CET	49763	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:30.721342087 CET	443	49763	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:30.721395969 CET	49763	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:30.721504927 CET	443	49763	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:30.721801043 CET	49763	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:30.792893887 CET	443	49764	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:30.793045998 CET	49764	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:30.795819044 CET	49764	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:30.795834064 CET	443	49764	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:30.796070099 CET	443	49764	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:30.797884941 CET	49764	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:30.797951937 CET	49764	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:30.798038960 CET	443	49764	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:30.798352003 CET	49764	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:30.798367977 CET	49764	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:30.835541010 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:30.836903095 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:30.836937904 CET	443	49767	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:30.837517023 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:30.839019060 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:30.839040041 CET	443	49767	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:30.840836048 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:30.917712927 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:30.918402910 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:30.922600985 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:30.922612906 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:30.922697067 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:30.922746897 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:30.922892094 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:30.923149109 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:30.923201084 CET	443	49768	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:30.923520088 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:30.925009012 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:30.925028086 CET	443	49768	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:30.958775997 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:31.024849892 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:31.153425932 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:31.158890963 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:31.285259008 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:31.325658083 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:31.452510118 CET	443	49767	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:31.452601910 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:31.543076992 CET	443	49768	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:31.544862032 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:31.880099058 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:31.880141020 CET	443	49767	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:31.880163908 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:31.880377054 CET	443	49767	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:31.880510092 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:31.880552053 CET	443	49768	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:31.880564928 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:31.880840063 CET	443	49768	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:31.889595032 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:31.889607906 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:34.055237055 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:34.060683012 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:34.178329945 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:34.234141111 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:34.900491953 CET	49769	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:34.900535107 CET	443	49769	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:34.901371002 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:34.903739929 CET	49769	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:34.905787945 CET	49769	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:34.905798912 CET	443	49769	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:34.906836987 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:34.951361895 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:34.951416969 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:34.951919079 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:34.952311039 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:34.952325106 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:34.970756054 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:34.970860004 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:34.971103907 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:34.971245050 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:34.971263885 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:34.974345922 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:34.974389076 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:34.974514008 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:34.976507902 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:34.976521969 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.033593893 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:35.083414078 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:35.514858961 CET	443	49769	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:35.514944077 CET	49769	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:35.520653009 CET	49769	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:35.520664930 CET	443	49769	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:35.520761013 CET	49769	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:35.520903111 CET	443	49769	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:35.521908998 CET	49769	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:35.524647951 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:35.529922009 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:35.583883047 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.583957911 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.585915089 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.587203026 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.587214947 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.587388039 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.587543011 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.592365980 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.592379093 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.592473030 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.592521906 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.592591047 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.592681885 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.592979908 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.593143940 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.593163967 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.595065117 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.595180988 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.598635912 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.598654032 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.598892927 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.599339008 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.599375010 CET	443	49773	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.599750042 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.601735115 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.601761103 CET	443	49773	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.604137897 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.604248047 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.604284048 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:35.604579926 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:35.647599936 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:35.651659012 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:35.657002926 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:35.700644970 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:35.783307076 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:35.832195997 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:36.222518921 CET	443	49773	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:36.222611904 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.228303909 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.228339911 CET	443	49773	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:36.228408098 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.228526115 CET	443	49773	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:36.229419947 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.232263088 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:36.234910965 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.234951019 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:36.235246897 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.236594915 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.236613035 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:36.237689972 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:36.355254889 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:36.358791113 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:36.364135981 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:36.402690887 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:36.492516041 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:36.534215927 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:36.842462063 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:36.842552900 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.848297119 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.848324060 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:36.848448992 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.848546982 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 12:04:36.849644899 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:04:36.851507902 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:36.856921911 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:36.976619005 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:36.980179071 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:36.985610962 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:37.035643101 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:37.111857891 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:37.173727989 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:44.273160934 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.273232937 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.276459932 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.276557922 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.276603937 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.295207024 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.295249939 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:44.295559883 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.295686960 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.295703888 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:44.301306963 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 12:04:44.301323891 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 12:04:44.301719904 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 12:04:44.301790953 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 12:04:44.301800966 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 12:04:44.314058065 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:44.314083099 CET	443	49778	35.190.72.216	192.168.2.4
Oct 29, 2024 12:04:44.317353964 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:44.318641901 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:44.318660021 CET	443	49778	35.190.72.216	192.168.2.4
Oct 29, 2024 12:04:44.327153921 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 12:04:44.327162027 CET	443	49779	35.201.103.21	192.168.2.4
Oct 29, 2024 12:04:44.327308893 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 12:04:44.328619957 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 12:04:44.328629971 CET	443	49779	35.201.103.21	192.168.2.4
Oct 29, 2024 12:04:44.875168085 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.875310898 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.878607988 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.878633976 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.878887892 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.881367922 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.881458998 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.881530046 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.882034063 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.885629892 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:44.891062975 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:44.912978888 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 12:04:44.913048983 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 12:04:44.916162968 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 12:04:44.916179895 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 12:04:44.916423082 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 12:04:44.918858051 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 12:04:44.918951035 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 12:04:44.918992996 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 12:04:44.924783945 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 12:04:44.926063061 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.926105976 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.926398993 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.926503897 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.926518917 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.926805973 CET	443	49778	35.190.72.216	192.168.2.4
Oct 29, 2024 12:04:44.927170038 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:44.929771900 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.929805040 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.929934978 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.929981947 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:44.930277109 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.930288076 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.930619955 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.933175087 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.933185101 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:44.933424950 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:44.934247971 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.934262037 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.934724092 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.934999943 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:44.935010910 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:44.935364962 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:44.935380936 CET	443	49778	35.190.72.216	192.168.2.4
Oct 29, 2024 12:04:44.935432911 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:44.935595989 CET	443	49778	35.190.72.216	192.168.2.4
Oct 29, 2024 12:04:44.935811996 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 12:04:44.937032938 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.937103033 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.937196970 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:44.937252998 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.948131084 CET	443	49779	35.201.103.21	192.168.2.4
Oct 29, 2024 12:04:44.948196888 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 12:04:44.952789068 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 12:04:44.952796936 CET	443	49779	35.201.103.21	192.168.2.4
Oct 29, 2024 12:04:44.952872038 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 12:04:44.953176022 CET	443	49779	35.201.103.21	192.168.2.4
Oct 29, 2024 12:04:44.953259945 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 12:04:44.963386059 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.963498116 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:44.963591099 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.963694096 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:44.963723898 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:45.008891106 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:45.014309883 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:45.019706964 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:45.054734945 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:45.145941019 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:45.198617935 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:45.532094002 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.534970045 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.537533998 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.537549973 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.537784100 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.539596081 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.539680004 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.539748907 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.544483900 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.545583010 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.545583963 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.545602083 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.545928001 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.546420097 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.552473068 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.552485943 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.552681923 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.554830074 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.554877996 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.555092096 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.555365086 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:45.557806015 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.557905912 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.557934999 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.559271097 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.559346914 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.559699059 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 12:04:45.560743093 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:45.561145067 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.561167002 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 12:04:45.565633059 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:45.565651894 CET	443	49784	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:45.566032887 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:45.567374945 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:45.567385912 CET	443	49784	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:45.572299957 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:45.572377920 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:45.575089931 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:45.575107098 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:45.575347900 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:45.577166080 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:45.577244997 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:45.577301025 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 12:04:45.578346014 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:45.578370094 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 12:04:45.687773943 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:45.690284014 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:45.695781946 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:45.731337070 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:45.822122097 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:45.869400024 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:46.185062885 CET	443	49784	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:46.185967922 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:46.190901995 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:46.190915108 CET	443	49784	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:46.191019058 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:46.191098928 CET	443	49784	34.107.243.93	192.168.2.4
Oct 29, 2024 12:04:46.191251993 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:04:46.193692923 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:46.199090004 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:46.317126036 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:46.320463896 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:46.326106071 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:46.370877028 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:46.452471018 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:46.502394915 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:51.922153950 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:51.927771091 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:52.045496941 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:52.048211098 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:52.053622007 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:52.087383986 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:04:52.180099010 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:04:52.234414101 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:02.046881914 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:02.052299976 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:02.194046974 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:02.199357033 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:06.215711117 CET	49818	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:06.215748072 CET	443	49818	34.107.243.93	192.168.2.4
Oct 29, 2024 12:05:06.216006041 CET	49818	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:06.217921019 CET	49818	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:06.217940092 CET	443	49818	34.107.243.93	192.168.2.4
Oct 29, 2024 12:05:06.863394022 CET	443	49818	34.107.243.93	192.168.2.4
Oct 29, 2024 12:05:06.863495111 CET	49818	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:06.868817091 CET	49818	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:06.868834972 CET	443	49818	34.107.243.93	192.168.2.4
Oct 29, 2024 12:05:06.868923903 CET	49818	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:06.868957043 CET	443	49818	34.107.243.93	192.168.2.4
Oct 29, 2024 12:05:06.869749069 CET	49818	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:06.872062922 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:06.877835989 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:06.995387077 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:06.998882055 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:07.004261971 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:07.045994043 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:07.130212069 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:07.177391052 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:14.262411118 CET	49863	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.262520075 CET	443	49863	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.262569904 CET	49864	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.262593031 CET	443	49864	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.262727976 CET	49865	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.262773037 CET	443	49865	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.264769077 CET	49863	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.264775991 CET	49864	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.264822006 CET	49865	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.265011072 CET	49863	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.265062094 CET	443	49863	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.265170097 CET	49865	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.265199900 CET	443	49865	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.265280008 CET	49864	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.265290976 CET	443	49864	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.872926950 CET	443	49865	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.873464108 CET	49865	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.877893925 CET	49865	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.877909899 CET	443	49865	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.878149033 CET	443	49865	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.880764961 CET	49865	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.880899906 CET	49865	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.880914927 CET	443	49865	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.881402969 CET	49865	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.881442070 CET	49865	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.887341976 CET	443	49863	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.887425900 CET	49863	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.891474009 CET	49863	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.891505957 CET	443	49863	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.892405033 CET	443	49863	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.894516945 CET	49863	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.894640923 CET	49863	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.894973993 CET	443	49863	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.901091099 CET	49863	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.901133060 CET	49863	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.906986952 CET	443	49864	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.912439108 CET	49864	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.916645050 CET	49864	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.916657925 CET	443	49864	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.917388916 CET	443	49864	34.120.208.123	192.168.2.4
Oct 29, 2024 12:05:14.919961929 CET	49864	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.920070887 CET	49864	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.920320988 CET	49864	443	192.168.2.4	34.120.208.123
Oct 29, 2024 12:05:14.934662104 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:14.940040112 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:15.057945967 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:15.113575935 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:15.653819084 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:15.659266949 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:15.785685062 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:15.841815948 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:25.062531948 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:25.067964077 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:25.795979977 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:25.801632881 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:35.076438904 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:35.082010984 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:35.809849977 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:36.631078005 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:45.095954895 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:45.101442099 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:46.631261110 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:46.636833906 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:46.894186974 CET	50038	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:46.894236088 CET	443	50038	34.107.243.93	192.168.2.4
Oct 29, 2024 12:05:46.894325972 CET	50038	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:46.895694017 CET	50038	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:46.895706892 CET	443	50038	34.107.243.93	192.168.2.4
Oct 29, 2024 12:05:47.520586014 CET	443	50038	34.107.243.93	192.168.2.4
Oct 29, 2024 12:05:47.520752907 CET	50038	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:47.526515007 CET	50038	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:47.526525021 CET	443	50038	34.107.243.93	192.168.2.4
Oct 29, 2024 12:05:47.526612043 CET	50038	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:47.526824951 CET	443	50038	34.107.243.93	192.168.2.4
Oct 29, 2024 12:05:47.527373075 CET	50038	443	192.168.2.4	34.107.243.93
Oct 29, 2024 12:05:47.529098988 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:47.534471035 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:47.652364969 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:47.655741930 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:47.661138058 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:47.703461885 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:47.787595034 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:47.834923029 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:57.663501024 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:57.669009924 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:05:57.795160055 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:05:57.800672054 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:06:07.677133083 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:06:07.682576895 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:06:07.808830976 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:06:07.814188957 CET	80	49754	34.107.221.82	192.168.2.4
Oct 29, 2024 12:06:17.686742067 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:06:17.692260981 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 12:06:17.824810982 CET	49754	80	192.168.2.4	34.107.221.82
Oct 29, 2024 12:06:17.830271006 CET	80	49754	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 12:04:15.643443108 CET	56479	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:15.651341915 CET	53	56479	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:15.670823097 CET	58450	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:15.678649902 CET	53	58450	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:17.723798037 CET	61066	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:17.724066019 CET	63042	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:17.731292963 CET	53	61066	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:17.732326984 CET	51019	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:17.734467030 CET	51410	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:17.740053892 CET	53	51019	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:17.740681887 CET	50781	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:17.741868973 CET	53	51410	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:17.742973089 CET	50122	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:17.748184919 CET	53	50781	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:17.750385046 CET	53	50122	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:17.971811056 CET	58510	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:17.979404926 CET	53	58510	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:17.986044884 CET	64042	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:17.993262053 CET	53	64042	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:17.995800018 CET	50363	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:17.997308969 CET	52157	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:18.003993034 CET	53	50363	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.004740000 CET	53	52157	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.029135942 CET	63301	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:18.037445068 CET	53	63301	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.044187069 CET	63692	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:18.048180103 CET	64096	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:18.051736116 CET	53	63692	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.056200981 CET	53	64096	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.062351942 CET	65476	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:18.070169926 CET	53	65476	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.534658909 CET	52919	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:18.541897058 CET	53	52919	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.542884111 CET	62010	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:18.550424099 CET	53	62010	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.551239014 CET	64884	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:18.558926105 CET	53	64884	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.606822968 CET	56493	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:18.607213020 CET	53122	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:18.614131927 CET	53	56493	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.614290953 CET	53	53122	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:18.627612114 CET	51868	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:22.986136913 CET	61467	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:22.993874073 CET	53	61467	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:22.995255947 CET	50678	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:23.003106117 CET	53	50678	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:23.003814936 CET	63175	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:23.011732101 CET	53	63175	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:23.061506987 CET	56567	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:23.089270115 CET	53	53601	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:23.131365061 CET	57847	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:23.138525963 CET	53	57847	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:23.139678001 CET	57331	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:23.147725105 CET	53	57331	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:23.169612885 CET	60928	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:23.177051067 CET	53	60928	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:27.486430883 CET	60200	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:27.493907928 CET	53	60200	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:27.494585037 CET	53809	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:27.501764059 CET	53	53809	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:30.166508913 CET	53131	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:30.173578024 CET	53	53131	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:30.263611078 CET	51807	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:30.271049023 CET	53	51807	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:30.272182941 CET	52212	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:30.279364109 CET	53	52212	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:30.279900074 CET	63184	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:30.287488937 CET	53	63184	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:34.901211023 CET	61462	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:34.908747911 CET	53	61462	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:34.952938080 CET	64931	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:34.960798979 CET	53	64931	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.076283932 CET	65189	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.076426029 CET	59783	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.076668978 CET	56353	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.083806992 CET	53	59783	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.083839893 CET	53	65189	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.084541082 CET	53	56353	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.084729910 CET	49952	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.085361004 CET	62661	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.085807085 CET	53532	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.092722893 CET	53	49952	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.093691111 CET	53	62661	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.094506025 CET	53	53532	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.100343943 CET	50648	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.100614071 CET	62771	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.101285934 CET	49977	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.108207941 CET	53	50648	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.108357906 CET	53	62771	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.109076023 CET	53	49977	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.110529900 CET	65286	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.111246109 CET	61630	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.119358063 CET	53	65286	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.119939089 CET	60428	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.120050907 CET	53	61630	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.120589018 CET	54445	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.128519058 CET	53	54445	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.128535986 CET	53	60428	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.129029989 CET	57757	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.129086018 CET	53007	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:36.136456966 CET	53	57757	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:36.136490107 CET	53	53007	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:44.281671047 CET	56269	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:44.289066076 CET	53	56269	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:44.291855097 CET	51450	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:44.300575972 CET	53	51450	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:44.301677942 CET	63515	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:44.309278011 CET	53	63515	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:44.309793949 CET	50548	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:44.315700054 CET	61699	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:44.317133904 CET	53	50548	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:44.323086023 CET	53	61699	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:44.330416918 CET	63483	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:44.337995052 CET	53	63483	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:44.339649916 CET	57307	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:44.347556114 CET	53	57307	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:45.565989971 CET	61194	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:04:45.573348999 CET	53	61194	1.1.1.1	192.168.2.4
Oct 29, 2024 12:04:45.690485001 CET	49869	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:05:06.214833021 CET	55890	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:05:06.222210884 CET	53	55890	1.1.1.1	192.168.2.4
Oct 29, 2024 12:05:06.223526955 CET	61377	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:05:06.231662989 CET	53	61377	1.1.1.1	192.168.2.4
Oct 29, 2024 12:05:14.260607958 CET	54977	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:05:14.269156933 CET	53	54977	1.1.1.1	192.168.2.4
Oct 29, 2024 12:05:46.881907940 CET	64501	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:05:46.889503002 CET	53	64501	1.1.1.1	192.168.2.4
Oct 29, 2024 12:05:46.890556097 CET	53493	53	192.168.2.4	1.1.1.1
Oct 29, 2024 12:05:46.898324013 CET	53	53493	1.1.1.1	192.168.2.4
Oct 29, 2024 12:05:47.529297113 CET	59966	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 12:04:15.643443108 CET	192.168.2.4	1.1.1.1	0x9806	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:15.670823097 CET	192.168.2.4	1.1.1.1	0x2a0a	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 12:04:17.723798037 CET	192.168.2.4	1.1.1.1	0x9f44	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.724066019 CET	192.168.2.4	1.1.1.1	0xb701	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.732326984 CET	192.168.2.4	1.1.1.1	0x87e3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.734467030 CET	192.168.2.4	1.1.1.1	0x5480	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.740681887 CET	192.168.2.4	1.1.1.1	0x1955	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:17.742973089 CET	192.168.2.4	1.1.1.1	0xcc8	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 12:04:17.971811056 CET	192.168.2.4	1.1.1.1	0xf2f0	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.986044884 CET	192.168.2.4	1.1.1.1	0xbd5a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.995800018 CET	192.168.2.4	1.1.1.1	0x3b20	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:17.997308969 CET	192.168.2.4	1.1.1.1	0x308f	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.029135942 CET	192.168.2.4	1.1.1.1	0x6aae	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.044187069 CET	192.168.2.4	1.1.1.1	0x7b14	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 12:04:18.048180103 CET	192.168.2.4	1.1.1.1	0x3d0b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.062351942 CET	192.168.2.4	1.1.1.1	0x4a6c	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 12:04:18.534658909 CET	192.168.2.4	1.1.1.1	0x4479	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.542884111 CET	192.168.2.4	1.1.1.1	0x83c5	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.551239014 CET	192.168.2.4	1.1.1.1	0x99ea	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 12:04:18.606822968 CET	192.168.2.4	1.1.1.1	0xac3a	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.607213020 CET	192.168.2.4	1.1.1.1	0x3018	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.627612114 CET	192.168.2.4	1.1.1.1	0x136c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:22.986136913 CET	192.168.2.4	1.1.1.1	0x6612	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:22.995255947 CET	192.168.2.4	1.1.1.1	0x24e8	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:23.003814936 CET	192.168.2.4	1.1.1.1	0x6ec4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 12:04:23.061506987 CET	192.168.2.4	1.1.1.1	0x6a18	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:23.131365061 CET	192.168.2.4	1.1.1.1	0xc705	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:23.139678001 CET	192.168.2.4	1.1.1.1	0xaa89	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:23.169612885 CET	192.168.2.4	1.1.1.1	0x7fe8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:27.486430883 CET	192.168.2.4	1.1.1.1	0x80cf	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:27.494585037 CET	192.168.2.4	1.1.1.1	0xe476	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:30.166508913 CET	192.168.2.4	1.1.1.1	0x331e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 12:04:30.263611078 CET	192.168.2.4	1.1.1.1	0x412c	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:30.272182941 CET	192.168.2.4	1.1.1.1	0x60c2	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:30.279900074 CET	192.168.2.4	1.1.1.1	0xf594	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 12:04:34.901211023 CET	192.168.2.4	1.1.1.1	0xa35a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:34.952938080 CET	192.168.2.4	1.1.1.1	0x1eaa	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:36.076283932 CET	192.168.2.4	1.1.1.1	0xdf9c	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.076426029 CET	192.168.2.4	1.1.1.1	0xbccf	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.076668978 CET	192.168.2.4	1.1.1.1	0x15cd	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.084729910 CET	192.168.2.4	1.1.1.1	0x4f6e	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.085361004 CET	192.168.2.4	1.1.1.1	0xfc49	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.085807085 CET	192.168.2.4	1.1.1.1	0x3efa	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.100343943 CET	192.168.2.4	1.1.1.1	0x8d4e	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:36.100614071 CET	192.168.2.4	1.1.1.1	0xf2e5	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 29, 2024 12:04:36.101285934 CET	192.168.2.4	1.1.1.1	0xc8a7	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:36.110529900 CET	192.168.2.4	1.1.1.1	0x6f01	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.111246109 CET	192.168.2.4	1.1.1.1	0x5e9d	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.119939089 CET	192.168.2.4	1.1.1.1	0xa202	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.120589018 CET	192.168.2.4	1.1.1.1	0xaa31	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.129029989 CET	192.168.2.4	1.1.1.1	0x3f8c	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:36.129086018 CET	192.168.2.4	1.1.1.1	0xc881	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 29, 2024 12:04:44.281671047 CET	192.168.2.4	1.1.1.1	0xfcac	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 12:04:44.291855097 CET	192.168.2.4	1.1.1.1	0x1971	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.301677942 CET	192.168.2.4	1.1.1.1	0x1d14	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.309793949 CET	192.168.2.4	1.1.1.1	0x6e2e	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 29, 2024 12:04:44.315700054 CET	192.168.2.4	1.1.1.1	0xe0cc	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.330416918 CET	192.168.2.4	1.1.1.1	0xfbf7	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.339649916 CET	192.168.2.4	1.1.1.1	0x3605	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:45.565989971 CET	192.168.2.4	1.1.1.1	0x6724	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 12:04:45.690485001 CET	192.168.2.4	1.1.1.1	0xe3a4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:05:06.214833021 CET	192.168.2.4	1.1.1.1	0x9636	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:05:06.223526955 CET	192.168.2.4	1.1.1.1	0x8d15	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 12:05:14.260607958 CET	192.168.2.4	1.1.1.1	0xd2db	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 12:05:46.881907940 CET	192.168.2.4	1.1.1.1	0x94e9	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:05:46.890556097 CET	192.168.2.4	1.1.1.1	0xd485	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 12:05:47.529297113 CET	192.168.2.4	1.1.1.1	0x9713	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 12:04:15.635560036 CET	1.1.1.1	192.168.2.4	0xaaec	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:15.651341915 CET	1.1.1.1	192.168.2.4	0x9806	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.731292963 CET	1.1.1.1	192.168.2.4	0x9f44	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.732669115 CET	1.1.1.1	192.168.2.4	0xb701	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:17.732669115 CET	1.1.1.1	192.168.2.4	0xb701	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.740053892 CET	1.1.1.1	192.168.2.4	0x87e3	No error (0)	youtube.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.741868973 CET	1.1.1.1	192.168.2.4	0x5480	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.748184919 CET	1.1.1.1	192.168.2.4	0x1955	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 29, 2024 12:04:17.750385046 CET	1.1.1.1	192.168.2.4	0xcc8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 12:04:17.979404926 CET	1.1.1.1	192.168.2.4	0xf2f0	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:17.993262053 CET	1.1.1.1	192.168.2.4	0xbd5a	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.004740000 CET	1.1.1.1	192.168.2.4	0x308f	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:18.004740000 CET	1.1.1.1	192.168.2.4	0x308f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.037445068 CET	1.1.1.1	192.168.2.4	0x6aae	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.045397997 CET	1.1.1.1	192.168.2.4	0xf03f	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:18.045397997 CET	1.1.1.1	192.168.2.4	0xf03f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.056200981 CET	1.1.1.1	192.168.2.4	0x3d0b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.541897058 CET	1.1.1.1	192.168.2.4	0x4479	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:18.541897058 CET	1.1.1.1	192.168.2.4	0x4479	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:18.541897058 CET	1.1.1.1	192.168.2.4	0x4479	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.550424099 CET	1.1.1.1	192.168.2.4	0x83c5	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.558926105 CET	1.1.1.1	192.168.2.4	0x99ea	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 12:04:18.614131927 CET	1.1.1.1	192.168.2.4	0xac3a	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.614290953 CET	1.1.1.1	192.168.2.4	0x3018	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.614290953 CET	1.1.1.1	192.168.2.4	0x3018	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:18.635582924 CET	1.1.1.1	192.168.2.4	0x136c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:18.635582924 CET	1.1.1.1	192.168.2.4	0x136c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:22.993874073 CET	1.1.1.1	192.168.2.4	0x6612	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:22.993874073 CET	1.1.1.1	192.168.2.4	0x6612	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:22.993874073 CET	1.1.1.1	192.168.2.4	0x6612	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:23.003106117 CET	1.1.1.1	192.168.2.4	0x24e8	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:23.069957018 CET	1.1.1.1	192.168.2.4	0x6a18	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:23.138525963 CET	1.1.1.1	192.168.2.4	0xc705	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:23.147725105 CET	1.1.1.1	192.168.2.4	0xaa89	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:27.485457897 CET	1.1.1.1	192.168.2.4	0x964d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:27.493907928 CET	1.1.1.1	192.168.2.4	0x80cf	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:30.114993095 CET	1.1.1.1	192.168.2.4	0x6db0	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:30.172797918 CET	1.1.1.1	192.168.2.4	0xa420	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:30.172797918 CET	1.1.1.1	192.168.2.4	0xa420	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:30.271049023 CET	1.1.1.1	192.168.2.4	0x412c	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:30.271049023 CET	1.1.1.1	192.168.2.4	0x412c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:30.279364109 CET	1.1.1.1	192.168.2.4	0x60c2	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083806992 CET	1.1.1.1	192.168.2.4	0xbccf	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083806992 CET	1.1.1.1	192.168.2.4	0xbccf	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.083839893 CET	1.1.1.1	192.168.2.4	0xdf9c	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.084541082 CET	1.1.1.1	192.168.2.4	0x15cd	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:36.084541082 CET	1.1.1.1	192.168.2.4	0x15cd	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.092722893 CET	1.1.1.1	192.168.2.4	0x4f6e	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.093691111 CET	1.1.1.1	192.168.2.4	0xfc49	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.094506025 CET	1.1.1.1	192.168.2.4	0x3efa	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.108207941 CET	1.1.1.1	192.168.2.4	0x8d4e	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 29, 2024 12:04:36.108357906 CET	1.1.1.1	192.168.2.4	0xf2e5	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 29, 2024 12:04:36.109076023 CET	1.1.1.1	192.168.2.4	0xc8a7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 12:04:36.109076023 CET	1.1.1.1	192.168.2.4	0xc8a7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 12:04:36.109076023 CET	1.1.1.1	192.168.2.4	0xc8a7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 12:04:36.109076023 CET	1.1.1.1	192.168.2.4	0xc8a7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 12:04:36.119358063 CET	1.1.1.1	192.168.2.4	0x6f01	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:36.119358063 CET	1.1.1.1	192.168.2.4	0x6f01	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.119358063 CET	1.1.1.1	192.168.2.4	0x6f01	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.119358063 CET	1.1.1.1	192.168.2.4	0x6f01	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.119358063 CET	1.1.1.1	192.168.2.4	0x6f01	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.120050907 CET	1.1.1.1	192.168.2.4	0x5e9d	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.128519058 CET	1.1.1.1	192.168.2.4	0xaa31	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.128535986 CET	1.1.1.1	192.168.2.4	0xa202	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.128535986 CET	1.1.1.1	192.168.2.4	0xa202	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.128535986 CET	1.1.1.1	192.168.2.4	0xa202	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:36.128535986 CET	1.1.1.1	192.168.2.4	0xa202	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.280352116 CET	1.1.1.1	192.168.2.4	0xc9f6	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:44.280352116 CET	1.1.1.1	192.168.2.4	0xc9f6	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.300575972 CET	1.1.1.1	192.168.2.4	0x1971	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.300575972 CET	1.1.1.1	192.168.2.4	0x1971	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.300575972 CET	1.1.1.1	192.168.2.4	0x1971	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.300575972 CET	1.1.1.1	192.168.2.4	0x1971	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.309278011 CET	1.1.1.1	192.168.2.4	0x1d14	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.309278011 CET	1.1.1.1	192.168.2.4	0x1d14	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.309278011 CET	1.1.1.1	192.168.2.4	0x1d14	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.309278011 CET	1.1.1.1	192.168.2.4	0x1d14	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.317133904 CET	1.1.1.1	192.168.2.4	0x6e2e	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 12:04:44.317133904 CET	1.1.1.1	192.168.2.4	0x6e2e	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 12:04:44.317133904 CET	1.1.1.1	192.168.2.4	0x6e2e	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 12:04:44.317133904 CET	1.1.1.1	192.168.2.4	0x6e2e	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 12:04:44.323086023 CET	1.1.1.1	192.168.2.4	0xe0cc	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:44.323086023 CET	1.1.1.1	192.168.2.4	0xe0cc	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:44.337995052 CET	1.1.1.1	192.168.2.4	0xfbf7	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:04:45.568064928 CET	1.1.1.1	192.168.2.4	0x96aa	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:45.568064928 CET	1.1.1.1	192.168.2.4	0x96aa	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:45.698324919 CET	1.1.1.1	192.168.2.4	0xe3a4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:04:45.698324919 CET	1.1.1.1	192.168.2.4	0xe3a4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:05:06.222210884 CET	1.1.1.1	192.168.2.4	0x9636	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:05:14.258950949 CET	1.1.1.1	192.168.2.4	0xeb23	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:05:46.889503002 CET	1.1.1.1	192.168.2.4	0x94e9	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 12:05:47.537120104 CET	1.1.1.1	192.168.2.4	0x9713	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 12:05:47.537120104 CET	1.1.1.1	192.168.2.4	0x9713	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	7808	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 12:04:17.834702015 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:18.426915884 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73472 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49747	34.107.221.82	80	7808	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 12:04:18.646435976 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:19.253617048 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79834 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	7808	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 12:04:18.941425085 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:19.528903008 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73473 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:22.967993021 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:23.091083050 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73477 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:29.668119907 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:29.791737080 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73483 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:30.835541010 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:30.958775997 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73484 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:34.055237055 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:34.178329945 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73488 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:35.524647951 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:35.647599936 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73489 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:36.232263088 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:36.355254889 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73490 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:36.851507902 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:36.976619005 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73490 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:44.885629892 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:45.008891106 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73498 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:45.555365086 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:45.687773943 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73499 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:46.193692923 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:46.317126036 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73500 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:04:51.922153950 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:04:52.045496941 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73505 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:05:02.046881914 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:05:06.872062922 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:05:06.995387077 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73520 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:05:14.934662104 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:05:15.057945967 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73528 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:05:25.062531948 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:05:35.076438904 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:05:45.095954895 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:05:47.529098988 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 12:05:47.652364969 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 73561 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 12:05:57.663501024 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:06:07.677133083 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:06:17.686742067 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49754	34.107.221.82	80	7808	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 12:04:20.107232094 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:20.735722065 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79835 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:23.106410980 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:23.238010883 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79838 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:30.124939919 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:30.259721994 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79845 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:31.153425932 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:31.285259008 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79846 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:34.901371002 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:35.033593893 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79849 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:35.651659012 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:35.783307076 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79850 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:36.358791113 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:36.492516041 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79851 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:36.980179071 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:37.111857891 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79852 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:45.014309883 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:45.145941019 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79860 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:45.690284014 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:45.822122097 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79860 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:46.320463896 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:46.452471018 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79861 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:04:52.048211098 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:04:52.180099010 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79867 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:05:02.194046974 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:05:06.998882055 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:05:07.130212069 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79882 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:05:15.653819084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:05:15.785685062 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79890 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:05:25.795979977 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:05:35.809849977 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:05:46.631261110 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:05:47.655741930 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 12:05:47.787595034 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 79922 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 12:05:57.795160055 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:06:07.808830976 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 12:06:17.824810982 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	07:04:08
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x180000
File size:	919'552 bytes
MD5 hash:	DE264BA7680E76241175C16744682089
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:04:08
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x760000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:04:08
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:04:10
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x760000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:04:10
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:04:11
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x760000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:04:11
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:04:11
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x760000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:04:11
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:04:11
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x760000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:04:11
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:04:11
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:04:11
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:04:11
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	07:04:12
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16b0dd87-cb53-4d7f-b59c-68651654e598} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27144570910 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	07:04:14
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4252 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 4272 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fc749c5-51b2-47f8-8a6f-ee68df8536cf} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27154f56210 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	07:04:29
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3068 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 4976 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83397ebb-96fd-4a7a-b706-8ac66586f8d4} 7808 "\\.\pipe\gecko-crash-server-pipe.7808" 27155aa5710 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1550
Total number of Limit Nodes:	63

Executed Functions

Function 001842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0018430D

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

GetCurrentProcess.KERNEL32(?,0021CB64,00000000,?,?), ref: 00184422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00184429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00184454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00184466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00184474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0018447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001844A0

Strings

kernel32.dll, xrefs: 0018444F
GetNativeSystemInfo, xrefs: 00184460
|O, xrefs: 001C36F8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: d5087a8a4c9cb2e45eb9bed39b902c0c0a26aa78f26ba23034e727317116e5fd
Instruction ID: 842f7960bcbaa43022de5312ad46ddf0f315e9f17a62a8357f920ba864153e4d
Opcode Fuzzy Hash: d5087a8a4c9cb2e45eb9bed39b902c0c0a26aa78f26ba23034e727317116e5fd
Instruction Fuzzy Hash: 2DA1D27590A3C0FFC715DB68B86C7947FA46F36346B1888DCE04193A61D7304AA8CB29

Function 001842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001850AA,?,?,00000000,00000000), ref: 001842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001850AA,?,?,00000000,00000000), ref: 001842C9
LoadResource.KERNEL32(?,00000000,?,?,001850AA,?,?,00000000,00000000,?,?,?,?,?,?,00184F20), ref: 001C35BE
SizeofResource.KERNEL32(?,00000000,?,?,001850AA,?,?,00000000,00000000,?,?,?,?,?,?,00184F20), ref: 001C35D3
LockResource.KERNEL32(001850AA,?,?,001850AA,?,?,00000000,00000000,?,?,?,?,?,?,00184F20,?), ref: 001C35E6

Strings

SCRIPT, xrefs: 001842BF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 20d6247b649cf9b68522475206e128cd7d2ce2a04fd542353175e6012504f2d5
Instruction ID: cbdf4a9d694f870eaae41d7c27f59d59e11a4546672097955519ee7bbadcb429
Opcode Fuzzy Hash: 20d6247b649cf9b68522475206e128cd7d2ce2a04fd542353175e6012504f2d5
Instruction Fuzzy Hash: 7211AC78240305BFD7219B65EC48FA77BBAEBD9B55F208169B802C6250DF71D9008A20

Function 001C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00182B6B

Part of subcall function 00183A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00251418,?,00182E7F,?,?,?,00000000), ref: 00183A78

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00242224), ref: 001C2C10
ShellExecuteW.SHELL32(00000000,?,?,00242224), ref: 001C2C17

Strings

runas, xrefs: 001C2C0B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 531b8f579c20a1462138e00e18e431b65ac6e350d0eb9ad620e28203e94bf032
Instruction ID: a8984c2846ba20213619a9366baaee7d85276a9cd09d6a9af04c07206ef3d4eb
Opcode Fuzzy Hash: 531b8f579c20a1462138e00e18e431b65ac6e350d0eb9ad620e28203e94bf032
Instruction Fuzzy Hash: 4D11D331208305AAC719FF60E855EBEB7A4ABB2741F48142DF492570A2CF318B5A8F12

Function 001ED4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001ED501
Process32FirstW.KERNEL32(00000000,?), ref: 001ED50F
Process32NextW.KERNEL32(00000000,?), ref: 001ED52F
CloseHandle.KERNELBASE(00000000), ref: 001ED5DC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b2b01603473b849fed892b34c472e733425cb7384ede6a2047d8c8d3ea7ba6e5
Instruction ID: bb764770f4eef3a46fba917020aa7500a7ad7283d51cf479315f4fecb6d3fffe
Opcode Fuzzy Hash: b2b01603473b849fed892b34c472e733425cb7384ede6a2047d8c8d3ea7ba6e5
Instruction Fuzzy Hash: 4E31D4310083409FD304EF54E885ABFBBF8EFA9344F14092DF585871A1EB719A49CB92

Function 001EDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,001C5222), ref: 001EDBCE
GetFileAttributesW.KERNELBASE(?), ref: 001EDBDD
FindFirstFileW.KERNEL32(?,?), ref: 001EDBEE
FindClose.KERNEL32(00000000), ref: 001EDBFA

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: cc813d0a7ab1d1056f05e282e7600dc233b8795dc9d63d18d1518b221ff7732c
Instruction ID: a48cfffe09c6ac8cb128ad7968c5b99a0a5bd859055e59c487e7354b1bcceabe
Opcode Fuzzy Hash: cc813d0a7ab1d1056f05e282e7600dc233b8795dc9d63d18d1518b221ff7732c
Instruction Fuzzy Hash: D4F0A9308909106782206B7CBC0D8AE37AC9E02374B30870AF836C20E0EFB099A48696

Function 001A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001B28E9,?,001A4CBE,001B28E9,002488B8,0000000C,001A4E15,001B28E9,00000002,00000000,?,001B28E9), ref: 001A4D09
TerminateProcess.KERNEL32(00000000,?,001A4CBE,001B28E9,002488B8,0000000C,001A4E15,001B28E9,00000002,00000000,?,001B28E9), ref: 001A4D10
ExitProcess.KERNEL32 ref: 001A4D22

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 78694d6921f33ac3b3e456f51127eda8d3f441c9e221c4fab5db1700e141c3c4
Instruction ID: d98caa34f829828da21a9003fbf2637e9e4f7ef323963052f04a621388e07158
Opcode Fuzzy Hash: 78694d6921f33ac3b3e456f51127eda8d3f441c9e221c4fab5db1700e141c3c4
Instruction Fuzzy Hash: ADE0B639040248ABCF11AF94ED0DA987B69EBA6785B208054FD198A122DB75DE52CA80

Function 0018BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#%, xrefs: 001D07CE

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#%
API String ID: 3964851224-1578963556
Opcode ID: 646228c62b62776174b1cd6054616bd0a3bfe5e5ccbf1fef86534ecb70641729
Instruction ID: 7a6e78ce650ce530eeba99effd4406ed08895f3a0098db782e298caeea093667
Opcode Fuzzy Hash: 646228c62b62776174b1cd6054616bd0a3bfe5e5ccbf1fef86534ecb70641729
Instruction Fuzzy Hash: 3BA25B70A083019FD715DF28C480B2AB7E1BF99304F15896EE99A8B352D771ED45CFA2

Function 0020AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0020B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0020B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0020B1D4
_wcslen.LIBCMT ref: 0020B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0020B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0020B236
_wcslen.LIBCMT ref: 0020B332

Part of subcall function 001F05A7: GetStdHandle.KERNEL32(000000F6), ref: 001F05C6

_wcslen.LIBCMT ref: 0020B34B
_wcslen.LIBCMT ref: 0020B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0020B3B6
GetLastError.KERNEL32(00000000), ref: 0020B407
CloseHandle.KERNEL32(?), ref: 0020B439
CloseHandle.KERNEL32(00000000), ref: 0020B44A
CloseHandle.KERNEL32(00000000), ref: 0020B45C
CloseHandle.KERNEL32(00000000), ref: 0020B46E
CloseHandle.KERNEL32(?), ref: 0020B4E3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c824f0f4ea2312b712053b63aa111a92a4d29359821b1e251fba36adfafd5b1c
Instruction ID: a105c23cc427cdc9e9757825b6cbeb58547d973be5dc54e78fe69d48c16a0a49
Opcode Fuzzy Hash: c824f0f4ea2312b712053b63aa111a92a4d29359821b1e251fba36adfafd5b1c
Instruction Fuzzy Hash: DFF1AC316183419FCB25EF24C891B6EBBE1AF95314F24845DF8998B2E2DB31ED50CB52

Function 0018D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0018D807
timeGetTime.WINMM ref: 0018DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0018DB28
TranslateMessage.USER32(?), ref: 0018DB7B
DispatchMessageW.USER32(?), ref: 0018DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0018DB9F
Sleep.KERNELBASE(0000000A), ref: 0018DBB1

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 5bc74f6f70721d1bb73e6ae9b96fdde48ff1c7815a519c432f61694ff57a21e9
Instruction ID: 56247fedbfc85db46c83edb8cee9096fe04314826973270550e1893690d7858f
Opcode Fuzzy Hash: 5bc74f6f70721d1bb73e6ae9b96fdde48ff1c7815a519c432f61694ff57a21e9
Instruction Fuzzy Hash: 6842CF30608341EFD728EF24E888BAAB7E1BF66314F55855AE465873D1D770EA44CF82

Function 00182CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00182D07
RegisterClassExW.USER32(00000030), ref: 00182D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00182D42
InitCommonControlsEx.COMCTL32(?), ref: 00182D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00182D6F
LoadIconW.USER32(000000A9), ref: 00182D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00182D94

Strings

0, xrefs: 00182CE9
+, xrefs: 00182CF0
AutoIt v3 GUI, xrefs: 00182D23
TaskbarCreated, xrefs: 00182D37

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 7904067e0a3f43d88552629b8b0afc15ff1451d5b791eb458ed9ac80d4d683c9
Instruction ID: 7d928273823ff12d29665c6daeff736462339eedf7fa093bb2999fe7d632886d
Opcode Fuzzy Hash: 7904067e0a3f43d88552629b8b0afc15ff1451d5b791eb458ed9ac80d4d683c9
Instruction Fuzzy Hash: 1421C3B9991318AFDB00DFA4F84DBEDBBB8FB18701F10811AF511A62A0DBB14554CF95

Function 001C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001C039A: CreateFileW.KERNELBASE(00000000,00000000,?,001C0704,?,?,00000000,?,001C0704,00000000,0000000C), ref: 001C03B7

GetLastError.KERNEL32 ref: 001C076F
__dosmaperr.LIBCMT ref: 001C0776
GetFileType.KERNELBASE(00000000), ref: 001C0782
GetLastError.KERNEL32 ref: 001C078C
__dosmaperr.LIBCMT ref: 001C0795
CloseHandle.KERNEL32(00000000), ref: 001C07B5
CloseHandle.KERNEL32(?), ref: 001C08FF
GetLastError.KERNEL32 ref: 001C0931
__dosmaperr.LIBCMT ref: 001C0938

Strings

H, xrefs: 001C08BD

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 4f5c80816de6cfe6a5f55cbd4e3542f74a79bb8f584a5a5acbb1db9813c54f40
Instruction ID: 22829b52e981022966645ad59624b27959c15ac7e10eb6b5075344533a346a07
Opcode Fuzzy Hash: 4f5c80816de6cfe6a5f55cbd4e3542f74a79bb8f584a5a5acbb1db9813c54f40
Instruction Fuzzy Hash: 2EA13836A00254CFDF1AAF68DC95BAE7BA0AB2A320F14415DF8159B291DB31DD12CB91

Function 0018344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00183A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00251418,?,00182E7F,?,?,?,00000000), ref: 00183A78

Part of subcall function 00183357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00183379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0018356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001C318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001C31CE
RegCloseKey.ADVAPI32(?), ref: 001C3210
_wcslen.LIBCMT ref: 001C3277
_wcslen.LIBCMT ref: 001C3286

Strings

\Include\, xrefs: 00183527
Software\AutoIt v3\AutoIt, xrefs: 00183560
Include, xrefs: 001C3184, 001C31C5
\, xrefs: 001C328C

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 317d55c73f4335d9514b2e63c699b94bb6a337bd9496951703248cc244548520
Instruction ID: 749153e68bb5ae998a8e17e54eac92efc47ef26f46047da676c8f0b3b7acd29c
Opcode Fuzzy Hash: 317d55c73f4335d9514b2e63c699b94bb6a337bd9496951703248cc244548520
Instruction Fuzzy Hash: 44718D71408301EFC704EF65EC869ABBBE8FFAA740F50446EF455971A0EB309A48CB56

Function 00182B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00182B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00182B9D
LoadIconW.USER32(00000063), ref: 00182BB3
LoadIconW.USER32(000000A4), ref: 00182BC5
LoadIconW.USER32(000000A2), ref: 00182BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00182BEF
RegisterClassExW.USER32(?), ref: 00182C40

Part of subcall function 00182CD4: GetSysColorBrush.USER32(0000000F), ref: 00182D07
Part of subcall function 00182CD4: RegisterClassExW.USER32(00000030), ref: 00182D31
Part of subcall function 00182CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00182D42
Part of subcall function 00182CD4: InitCommonControlsEx.COMCTL32(?), ref: 00182D5F
Part of subcall function 00182CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00182D6F
Part of subcall function 00182CD4: LoadIconW.USER32(000000A9), ref: 00182D85
Part of subcall function 00182CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00182D94

Strings

AutoIt v3, xrefs: 00182C2F
0, xrefs: 00182C0F
#, xrefs: 00182C16

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0ecb30c4fe42388e855d31211f22df3a4acf6a4087512f836ef4fad8930feb4f
Instruction ID: 7ffa6b085de5f43a68578f41ba0679e355d9d8ab6df9a20ed5990d62f169125b
Opcode Fuzzy Hash: 0ecb30c4fe42388e855d31211f22df3a4acf6a4087512f836ef4fad8930feb4f
Instruction Fuzzy Hash: 9F214F74E40314BBDB109F95FC6DBAABFB4FB08B51F14419AF500A66A0D7B10960CF98

Function 00183170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0018316A,?,?), ref: 001831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0018316A,?,?), ref: 00183204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00183227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0018316A,?,?), ref: 00183232
CreatePopupMenu.USER32 ref: 00183246
PostQuitMessage.USER32(00000000), ref: 00183267

Strings

TaskbarCreated, xrefs: 0018322D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 3306910557a97cf594464f724b14c517808c571cc32e9ea6b5f05e57a8bb70bd
Instruction ID: 97f8f43803be92239aa2a6e560621ca8359a41c99ea358376c102c5a16605113
Opcode Fuzzy Hash: 3306910557a97cf594464f724b14c517808c571cc32e9ea6b5f05e57a8bb70bd
Instruction Fuzzy Hash: 82412939250304B7DB183B78AC1DBBD3A1AE725F01F1C4129F922862E1DBB1DB519F65

Function 00181410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00181459
CoUninitialize.COMBASE ref: 001814F8
UnregisterHotKey.USER32(?), ref: 001816DD
DestroyWindow.USER32(?), ref: 001C24B9
FreeLibrary.KERNEL32(?), ref: 001C251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001C254B

Strings

close all, xrefs: 00181454

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3dcafb72d4017afce878912a77c48942ec50712b3e4d08049c6dda1024672854
Instruction ID: 890ee80f46db83a07a867772a06f9d96a67a23b51f302f815ba2086ac78eca79
Opcode Fuzzy Hash: 3dcafb72d4017afce878912a77c48942ec50712b3e4d08049c6dda1024672854
Instruction Fuzzy Hash: FED127327012129FCB29EF14D499F69F7A4BF25700F2542ADE84AAB251DB30EE12CF50

Function 00182C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00182C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00182CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00181CAD,?), ref: 00182CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00181CAD,?), ref: 00182CCF

Strings

AutoIt v3, xrefs: 00182C89, 00182C8E, 00182C8F
edit, xrefs: 00182CAC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4036a1199a05087fa7f9530c9834e26f10dc6f8cf6b827b2404568043fd6f904
Instruction ID: 119539880ede92443bfda192423c94b6778ce302c61fee4dc3cc4d27e90b6d44
Opcode Fuzzy Hash: 4036a1199a05087fa7f9530c9834e26f10dc6f8cf6b827b2404568043fd6f904
Instruction Fuzzy Hash: E6F03A795803907AEB300713BC1CFB76EBDD7D6F61F11409AF900A21B0C6710861DAB8

Function 00183B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00183B0F,SwapMouseButtons,00000004,?), ref: 00183B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00183B0F,SwapMouseButtons,00000004,?), ref: 00183B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00183B0F,SwapMouseButtons,00000004,?), ref: 00183B83

Strings

Control Panel\Mouse, xrefs: 00183B3E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 692a6d112406b7f5f37abffb1b2967b50bb5a90e882164af1bc0b1b6e704b856
Instruction ID: c26bd1436088277328bfaafd95c657990ef857af99b7334ff58f3c336e8cb523
Opcode Fuzzy Hash: 692a6d112406b7f5f37abffb1b2967b50bb5a90e882164af1bc0b1b6e704b856
Instruction Fuzzy Hash: 76112AB5510208FFDB21DFA5DC48AEEB7B8EF04B84B148459A815D7210E7319F409B60

Function 00183923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001C33A2

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00183A04

Strings

Line: , xrefs: 001C33EB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: d30212a6bd5dd9470dfdcf556c434e888bffcb8c3d052b1458befd9cc3f41b86
Instruction ID: ec86fb9c13fe489d4b01d767d9a661e99eff2859342f50f692126fa1afbd622c
Opcode Fuzzy Hash: d30212a6bd5dd9470dfdcf556c434e888bffcb8c3d052b1458befd9cc3f41b86
Instruction Fuzzy Hash: 1031E571408300AAC325FB10EC49BEBB7D8AF51714F04455EF5A983091EB709759CBC6

Function 00182DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 001C2C8C

Part of subcall function 00183AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00183A97,?,?,00182E7F,?,?,?,00000000), ref: 00183AC2

Part of subcall function 00182DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00182DC4

Strings

X, xrefs: 001C2C5A
`e$, xrefs: 001C2C85

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e$
API String ID: 779396738-2370829165
Opcode ID: 2f4fca66ca1d1cb471623c330520e40881f8dc2f0ab5e9f5658a69a0517197aa
Instruction ID: b416d81d999e363d0eba836587a778befe9fc94c6fca6655fb539c3304481194
Opcode Fuzzy Hash: 2f4fca66ca1d1cb471623c330520e40881f8dc2f0ab5e9f5658a69a0517197aa
Instruction Fuzzy Hash: 0C21E770A102589FCF05EF94D809BEE7BFCAF59714F008059E405F7241DBB49A498F61

Function 0019FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001A0668

Part of subcall function 001A32A4: RaiseException.KERNEL32(?,?,?,001A068A,?,00251444,?,?,?,?,?,?,001A068A,00181129,00248738,00181129), ref: 001A3304

__CxxThrowException@8.LIBVCRUNTIME ref: 001A0685

Strings

Unknown exception, xrefs: 001A0692

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 43591eb229243a2159903d7e5543b4304461f8bec008272ae5de6f6b879c4785
Instruction ID: f645ab7fb62081b450601af9c92d59d089620845a841928daf363891a614d561
Opcode Fuzzy Hash: 43591eb229243a2159903d7e5543b4304461f8bec008272ae5de6f6b879c4785
Instruction Fuzzy Hash: DFF0C23C90020D77CF05BAA4D846DAE7BAC5E56354B604135B828D6591EF71EA66C5C0

Function 001810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00181BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00181BF4
Part of subcall function 00181BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00181BFC
Part of subcall function 00181BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00181C07
Part of subcall function 00181BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00181C12
Part of subcall function 00181BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00181C1A
Part of subcall function 00181BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00181C22

Part of subcall function 00181B4A: RegisterWindowMessageW.USER32(00000004,?,001812C4), ref: 00181BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0018136A
OleInitialize.OLE32 ref: 00181388
CloseHandle.KERNEL32(00000000,00000000), ref: 001C24AB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: b747385a3d8fbe0d83d91a748ce6e006a60f35921ec9402bd34ec8996ac645ea
Instruction ID: 1596beb70a1c319bb73b1813b160f54b632cd199743b8e7a7b5a2071385cc2a8
Opcode Fuzzy Hash: b747385a3d8fbe0d83d91a748ce6e006a60f35921ec9402bd34ec8996ac645ea
Instruction Fuzzy Hash: 7971B9B89213008FD794EF79B84D7A53AE4FBA8356794862AD40AC7361FB304965CF4C

Function 001EC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00183923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00183A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001EC259
KillTimer.USER32(?,00000001,?,?), ref: 001EC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001EC270

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 0e9603c6ecec275c6344522203151ea5469897a743acab08280e59330b0aa4bd
Instruction ID: a0e7b07300eaaae1ff68aead20e97504ad4ccb4e22c519cd31c14b4632427a30
Opcode Fuzzy Hash: 0e9603c6ecec275c6344522203151ea5469897a743acab08280e59330b0aa4bd
Instruction Fuzzy Hash: 3B31F770904784AFEB329F749C59BEBBBEC9F16304F00009DE2DA93241C7745A85CB91

Function 001B86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001B85CC,?,00248CC8,0000000C), ref: 001B8704
GetLastError.KERNEL32(?,001B85CC,?,00248CC8,0000000C), ref: 001B870E
__dosmaperr.LIBCMT ref: 001B8739

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3423356174fa86024f11608245a7980fc6900eac47478c56f42214b8921e1302
Instruction ID: 1bf734e5a8ed33a722751a23c9ea366c996cef7972d811155b6115a47abeb209
Opcode Fuzzy Hash: 3423356174fa86024f11608245a7980fc6900eac47478c56f42214b8921e1302
Instruction Fuzzy Hash: C6014E32A0572026D7647334B8497FE678E5BA2F78F390159F8188B2E2DFB0CC81C190

Function 0018DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0018DB7B
DispatchMessageW.USER32(?), ref: 0018DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0018DB9F
Sleep.KERNELBASE(0000000A), ref: 0018DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 001D1CC9

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: dbdf228e04b504186638671ecf512008ef30585d5dd9597b73679d21355da00b
Instruction ID: 3f6c8a45e77d6b90b79bd0782d5363a334008bce66fc5bb7e96bd826f14b72ac
Opcode Fuzzy Hash: dbdf228e04b504186638671ecf512008ef30585d5dd9597b73679d21355da00b
Instruction Fuzzy Hash: ACF05E30654340ABEB30DBA0EC8DFEA73ADEB55311F104919E60A830C0DB709548CF15

Function 00191310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001917F6

Strings

CALL, xrefs: 001917C6

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 2bca53ef5426967abd6005ce9fb3e5810c3f485fb3913c00a7bf030d49081315
Instruction ID: 48c34e577d85b15a934cba61c9bdc859e8176082a6e046cc3d2cea9e2d03c867
Opcode Fuzzy Hash: 2bca53ef5426967abd6005ce9fb3e5810c3f485fb3913c00a7bf030d49081315
Instruction Fuzzy Hash: 35229C70608302EFDB18DF14C484A2ABBF1BF9A354F15891DF4968B3A1D771E985CB92

Function 00183837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00183908

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9af9879e046d10828ce865985ba55a9d96c2b3282ae3c6e5ca3a7bae8b12a9d8
Instruction ID: 11a3c6d8a3d09ca9b1fb3a2e5db31c1c810261e7b8292c3024e0a8e578389a8c
Opcode Fuzzy Hash: 9af9879e046d10828ce865985ba55a9d96c2b3282ae3c6e5ca3a7bae8b12a9d8
Instruction Fuzzy Hash: 6331A5705047019FD720EF24D898797BBE4FB59709F04096EF5A983250E771AB54CF52

Function 0019F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0019F661

Part of subcall function 0018D730: GetInputState.USER32 ref: 0018D807

Sleep.KERNEL32(00000000), ref: 001DF2DE

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: ef4bf8d57c8e07d60d54e71fa3431e0e16ea3bb522352ee1403da88d4a61947a
Instruction ID: 19b5bf1958218f0cfc80ff0b505b739cf22099cec1fa5e517508a164150b85db
Opcode Fuzzy Hash: ef4bf8d57c8e07d60d54e71fa3431e0e16ea3bb522352ee1403da88d4a61947a
Instruction Fuzzy Hash: 43F08275284305AFD314FF69E449B9ABBE8EF55760F004029E859C73A0DB70A800CF90

Function 00184ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00184E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00184EDD,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E9C
Part of subcall function 00184E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00184EAE
Part of subcall function 00184E90: FreeLibrary.KERNEL32(00000000,?,?,00184EDD,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184EFD

Part of subcall function 00184E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001C3CDE,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E62
Part of subcall function 00184E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00184E74
Part of subcall function 00184E59: FreeLibrary.KERNEL32(00000000,?,?,001C3CDE,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E87

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: b62c2f2ea5d92aabf6df280910ad573c0918992bc34d93eb3acd4b3feed3a736
Instruction ID: 9e4550dfb12180463ed835a597b1f6152df625e629d4671cae261f95c0958052
Opcode Fuzzy Hash: b62c2f2ea5d92aabf6df280910ad573c0918992bc34d93eb3acd4b3feed3a736
Instruction Fuzzy Hash: 8411E336610206ABDB14BF64DC06FAD77A5AF60714F20842EF642A61C1EF749B459F90

Function 001B8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 001B8440

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f460d2ef318a9d58d543c730763801fc6e037b515775359371c5a5d4216a4876
Instruction ID: 854ff2c4cfe976564017ec621e201de0045eef3eabf8d1667e036f5032524734
Opcode Fuzzy Hash: f460d2ef318a9d58d543c730763801fc6e037b515775359371c5a5d4216a4876
Instruction Fuzzy Hash: 3111187590420AAFCF05DF58E941ADA7BF9EF48314F114059FC08AB312DB31EA11CBA5

Function 001B5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001B4C7D: RtlAllocateHeap.NTDLL(00000008,00181129,00000000,?,001B2E29,00000001,00000364,?,?,?,001AF2DE,001B3863,00251444,?,0019FDF5,?), ref: 001B4CBE

_free.LIBCMT ref: 001B506C

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: c5a519e1ae7e946769c3463ca52734648b216519c298bf1f258fb3afc8b01407
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: D70126722047056BE3219F65D881A9AFBE9FB89370F25051DF19483280EB30A805C6B4

Function 001AE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1155eae1480f7695a6d7f163cac05be5413104070b0d228dfad4f4471dfd8d7f
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: FDF0F43A510A10A6D7353A799C05B9A33DC9F73334F100B19F429931D2DB70D8068AA5

Function 001B4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00181129,00000000,?,001B2E29,00000001,00000364,?,?,?,001AF2DE,001B3863,00251444,?,0019FDF5,?), ref: 001B4CBE

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ee49c2215a7d596380eb65e061c537a811ebd4dbac9480f1bacede402bae9112
Instruction ID: 02034771ec996416f1cd5bb69a5eed4aad74c83dae5c3ddaca94f4d7c57b4bf5
Opcode Fuzzy Hash: ee49c2215a7d596380eb65e061c537a811ebd4dbac9480f1bacede402bae9112
Instruction Fuzzy Hash: 0AF0E93564222477DB215F669C09BEA3F88BF91FA1F15C125FC19E6183CB70DC0156E4

Function 001B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6,?,00181129), ref: 001B3852

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a392605c080d45aea25638d1b01dc474c9484f04b2974f72e5f4e4bb7e0b84d5
Instruction ID: 523d3d8a3572a0cadb4de91dd74fe692d3d6e7dc093df5315555d7f372f5dd8d
Opcode Fuzzy Hash: a392605c080d45aea25638d1b01dc474c9484f04b2974f72e5f4e4bb7e0b84d5
Instruction Fuzzy Hash: 70E0ED39140224ABE7212AAAAC04BDA3648AB927B0F160235FC24924D0DB60DE2182E2

Function 00184F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184F6D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 7a57edb83ca99393e7ace65cf8126a82d16e6b364915fdbc12640cb61b197d2b
Instruction ID: 2b9c7659d9eb4d7c9a1e73fd87cc4c19991f66393faff41e7093aa230fcf558b
Opcode Fuzzy Hash: 7a57edb83ca99393e7ace65cf8126a82d16e6b364915fdbc12640cb61b197d2b
Instruction Fuzzy Hash: 7EF03975145752CFDB38AF68E494822BBE4BF143293258A7EF2EA82621CB319944DF50

Function 00212A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00212A66

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 13bd1e0530458884ece38392e8d2def221fb2afeffff6fa7edc208f72650bd84
Instruction ID: b3f513eee447bf4ce8f9d4ca63f030521214d77db8c87a1c22a176c5b6cd9fc3
Opcode Fuzzy Hash: 13bd1e0530458884ece38392e8d2def221fb2afeffff6fa7edc208f72650bd84
Instruction Fuzzy Hash: 9DE04F363A055AEACB14EF31EC848FE739CEF70395710453ABD26D2101DF30A9A986A0

Function 001830F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0018314E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 812f92c834fc65f58bcfd323011e0412700fdf087d5678898a24d0c722a5d55d
Instruction ID: 4f69ce0bc904c29c01e090768cbce5afebeaabd6b3956e8c62c9d7f37d083fcb
Opcode Fuzzy Hash: 812f92c834fc65f58bcfd323011e0412700fdf087d5678898a24d0c722a5d55d
Instruction Fuzzy Hash: 45F0A070904308AFEB529B24EC4E7DA7BBCBB01708F0400E9A28896292DB704B88CF45

Function 00182DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00182DC4

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e7c66a463ba96a0567aeb9fb0f89e697c6251c57f99ef26da90a0507f5b3730a
Instruction ID: 18bf87b719a264e2cd83b0ef2e1c82d8f97ba033358bd354f7cbe810b19f03ce
Opcode Fuzzy Hash: e7c66a463ba96a0567aeb9fb0f89e697c6251c57f99ef26da90a0507f5b3730a
Instruction Fuzzy Hash: B0E0CD766002245BC710A2589C09FDA77DDDFC8790F044075FD09D7248DA70ED848650

Function 00182B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00183837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00183908

Part of subcall function 0018D730: GetInputState.USER32 ref: 0018D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00182B6B

Part of subcall function 001830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0018314E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 967006b4b98cfe5c0569c3c3f1561e704b4223c9ee7dd85f4b27cbdbfc8aba7f
Instruction ID: e921899a63f699b878df7fc69ab719637a6779b9d8da377bce066c0a11d18518
Opcode Fuzzy Hash: 967006b4b98cfe5c0569c3c3f1561e704b4223c9ee7dd85f4b27cbdbfc8aba7f
Instruction Fuzzy Hash: 04E0862130424406CA04BB74B8565BDB7599BF2756F44163EF552471A2CF344B594B52

Function 001C039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,001C0704,?,?,00000000,?,001C0704,00000000,0000000C), ref: 001C03B7

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e588dd59fad59fa8b316e7b193c7488d3e600735c551f04c31719e1be2de5c37
Instruction ID: 8091a098a3573b948bb7fcbf8bc1c02ec2a9e6e5adb57a018e16f479a9c1067f
Opcode Fuzzy Hash: e588dd59fad59fa8b316e7b193c7488d3e600735c551f04c31719e1be2de5c37
Instruction Fuzzy Hash: 0AD06C3208010DBBDF028F84ED0AEDA3BAAFB48714F118000BE1856020C732E821AB90

Function 00181CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00181CBC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ef86fcaf090229cde430131220f0768e019b4680c29d57fa3065c8414fb4fd52
Instruction ID: 882427b2892d30f192b659df9d5d3021b20f3656351c31e3797660f4c76db6c3
Opcode Fuzzy Hash: ef86fcaf090229cde430131220f0768e019b4680c29d57fa3065c8414fb4fd52
Instruction Fuzzy Hash: 9BC0923A2C0304FFF2198B80BC5EF507765E358B02F948401F609B95F3D7B22820EA58

Non-executed Functions

Function 00219576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0021961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0021965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0021969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002196C9
SendMessageW.USER32 ref: 002196F2
GetKeyState.USER32(00000011), ref: 0021978B
GetKeyState.USER32(00000009), ref: 00219798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002197AE
GetKeyState.USER32(00000010), ref: 002197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002197E9
SendMessageW.USER32 ref: 00219810
SendMessageW.USER32(?,00001030,?,00217E95), ref: 00219918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0021992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00219941
SetCapture.USER32(?), ref: 0021994A
ClientToScreen.USER32(?,?), ref: 002199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002199D6
ReleaseCapture.USER32 ref: 002199E1
GetCursorPos.USER32(?), ref: 00219A19
ScreenToClient.USER32(?,?), ref: 00219A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00219A80
SendMessageW.USER32 ref: 00219AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00219AEB
SendMessageW.USER32 ref: 00219B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00219B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00219B4A
GetCursorPos.USER32(?), ref: 00219B68
ScreenToClient.USER32(?,?), ref: 00219B75
GetParent.USER32(?), ref: 00219B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00219BFA
SendMessageW.USER32 ref: 00219C2B
ClientToScreen.USER32(?,?), ref: 00219C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00219CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00219CDE
SendMessageW.USER32 ref: 00219D01
ClientToScreen.USER32(?,?), ref: 00219D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00219D82

Part of subcall function 00199944: GetWindowLongW.USER32(?,000000EB), ref: 00199952

GetWindowLongW.USER32(?,000000F0), ref: 00219E05

Strings

F, xrefs: 00219D07
@GUI_DRAGID, xrefs: 0021997D
p#%, xrefs: 00219990

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#%
API String ID: 3429851547-2685227466
Opcode ID: 57c708d8bccdc76bba98d124f6c9097d2b45c6d63cc3ca7b2aa77cc1ceb1fe5e
Instruction ID: b33aa9234e2c146ce18c0f2dd27bdf5d4115b4cc3e5014897facfb7d2cd6f261
Opcode Fuzzy Hash: 57c708d8bccdc76bba98d124f6c9097d2b45c6d63cc3ca7b2aa77cc1ceb1fe5e
Instruction Fuzzy Hash: 4642AC74614241AFD724CF28DC58BEABBE9FFA9310F104629F599872A1D731E8A0CF51

Function 00214873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00214908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00214927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0021494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0021495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0021497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00214A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00214A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00214A7E
IsMenu.USER32(?), ref: 00214A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00214AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00214B20
GetWindowLongW.USER32(?,000000F0), ref: 00214B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00214BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00214C82
wsprintfW.USER32 ref: 00214CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00214CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00214CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00214D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00214D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00214D5A

Strings

%d/%02d/%02d, xrefs: 00214CA8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 4f2a3c7b8649e46d3dae1b2781fb5e7009665515c1d76a38871d11c8f7ca409c
Instruction ID: 75f8167378905b8ee438f48c97c4924b3dfa463c1c7ae6cd7955a7406df5e73c
Opcode Fuzzy Hash: 4f2a3c7b8649e46d3dae1b2781fb5e7009665515c1d76a38871d11c8f7ca409c
Instruction Fuzzy Hash: F7122171610245ABEB28AF24DC49FEE7BF8EFA5310F104129F519EB2E0DB749991CB50

Function 0019F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0019F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001DF474
IsIconic.USER32(00000000), ref: 001DF47D
ShowWindow.USER32(00000000,00000009), ref: 001DF48A
SetForegroundWindow.USER32(00000000), ref: 001DF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001DF4AA
GetCurrentThreadId.KERNEL32 ref: 001DF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001DF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 001DF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 001DF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 001DF4DE
SetForegroundWindow.USER32(00000000), ref: 001DF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 001DF4F6
keybd_event.USER32(00000012,00000000), ref: 001DF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 001DF50B
keybd_event.USER32(00000012,00000000), ref: 001DF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 001DF519
keybd_event.USER32(00000012,00000000), ref: 001DF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 001DF528
keybd_event.USER32(00000012,00000000), ref: 001DF52D
SetForegroundWindow.USER32(00000000), ref: 001DF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 001DF557

Strings

Shell_TrayWnd, xrefs: 001DF46F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a648e58fe3f4797ca218a5d71fdcff33ec4ddd94614f717b7e7b20af96581667
Instruction ID: 42bd90ab60db82607659074614b9f4f4dbec35419bf73017048dff55867f4787
Opcode Fuzzy Hash: a648e58fe3f4797ca218a5d71fdcff33ec4ddd94614f717b7e7b20af96581667
Instruction Fuzzy Hash: C0316575A80318BBEB216BB56C4DFBF7E6DEB44B50F20402AF601F61D1CBB05D01AA60

Function 001E1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001E170D
Part of subcall function 001E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001E173A
Part of subcall function 001E16C3: GetLastError.KERNEL32 ref: 001E174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001E1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001E12A8
CloseHandle.KERNEL32(?), ref: 001E12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001E12D1
GetProcessWindowStation.USER32 ref: 001E12EA
SetProcessWindowStation.USER32(00000000), ref: 001E12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001E1310

Part of subcall function 001E10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001E11FC), ref: 001E10D4
Part of subcall function 001E10BF: CloseHandle.KERNEL32(?,?,001E11FC), ref: 001E10E9

Strings

Z$, xrefs: 001E1392
, xrefs: 001E125A
default, xrefs: 001E130B
winsta0, xrefs: 001E12CC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z$
API String ID: 22674027-3486118733
Opcode ID: e8acf04debc8eca051522cc7fe85c9e6127a82fe2641cdd4c69ad0e9110233c2
Instruction ID: 5b41f36e6be59e8016134831177d55236d98c89434b065adaa18b1d181ede110
Opcode Fuzzy Hash: e8acf04debc8eca051522cc7fe85c9e6127a82fe2641cdd4c69ad0e9110233c2
Instruction Fuzzy Hash: 8B81AD71940689BFDF219FA5DC49FEE7BB9FF08704F248129F911A62A0CB708955CB60

Function 001E0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001E1114
Part of subcall function 001E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1120
Part of subcall function 001E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E112F
Part of subcall function 001E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1136
Part of subcall function 001E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001E0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001E0C00
GetLengthSid.ADVAPI32(?), ref: 001E0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001E0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001E0C6D
GetLengthSid.ADVAPI32(?), ref: 001E0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001E0C8C
HeapAlloc.KERNEL32(00000000), ref: 001E0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001E0CB4
CopySid.ADVAPI32(00000000), ref: 001E0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001E0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001E0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001E0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0D45
HeapFree.KERNEL32(00000000), ref: 001E0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0D55
HeapFree.KERNEL32(00000000), ref: 001E0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0D65
HeapFree.KERNEL32(00000000), ref: 001E0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001E0D78
HeapFree.KERNEL32(00000000), ref: 001E0D7F

Part of subcall function 001E1193: GetProcessHeap.KERNEL32(00000008,001E0BB1,?,00000000,?,001E0BB1,?), ref: 001E11A1
Part of subcall function 001E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001E0BB1,?), ref: 001E11A8
Part of subcall function 001E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001E0BB1,?), ref: 001E11B7

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ec24d56429d9e2fb8b1f697b03cf0f581ca646c7b589fabfff912f46760fbbe5
Instruction ID: 655e5ba9c5cb45295ece50a14e34ecbe604112b7cfb674f38edc6f36e0304c72
Opcode Fuzzy Hash: ec24d56429d9e2fb8b1f697b03cf0f581ca646c7b589fabfff912f46760fbbe5
Instruction Fuzzy Hash: 6571AC7590024AEBDF11DFE5EC48BEEBBB8BF18300F148125E904A7190DBB4AA41CB60

Function 001FEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0021CC08), ref: 001FEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001FEB37
GetClipboardData.USER32(0000000D), ref: 001FEB43
CloseClipboard.USER32 ref: 001FEB4F
GlobalLock.KERNEL32(00000000), ref: 001FEB87
CloseClipboard.USER32 ref: 001FEB91
GlobalUnlock.KERNEL32(00000000), ref: 001FEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001FEBC9
GetClipboardData.USER32(00000001), ref: 001FEBD1
GlobalLock.KERNEL32(00000000), ref: 001FEBE2
GlobalUnlock.KERNEL32(00000000), ref: 001FEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001FEC38
GetClipboardData.USER32(0000000F), ref: 001FEC44
GlobalLock.KERNEL32(00000000), ref: 001FEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001FEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001FEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001FECD2
GlobalUnlock.KERNEL32(00000000), ref: 001FECF3
CountClipboardFormats.USER32 ref: 001FED14
CloseClipboard.USER32 ref: 001FED59

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: d895eb6f866c9646e8cf8b47b046eccc307511e6a75468af550e7b45307bfde4
Instruction ID: 449a2a36b45470a3b6d8adbbb8ab31a5a02c45a67713eff555c9c2ad66d80027
Opcode Fuzzy Hash: d895eb6f866c9646e8cf8b47b046eccc307511e6a75468af550e7b45307bfde4
Instruction Fuzzy Hash: AF61DF38244305AFD300EF64E888F7A77E8AF94714F288559F956972A2CF31DE05CB62

Function 001F698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001F69BE
FindClose.KERNEL32(00000000), ref: 001F6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001F6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001F6A75

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001F6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001F6ADF

Strings

%03d, xrefs: 001F6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 001F6B6A
%4d, xrefs: 001F6BB1
%02d, xrefs: 001F6C00, 001F6C0A, 001F6C5A, 001F6CAA, 001F6CFA, 001F6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 001F6B32

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ed999fd03a4f2675bde4b4de27a106cd53a0727e50fa65d9aa2146178c3f172e
Instruction ID: e202edfe48a0fe0c268dcd550ae0aeb6829d18c195d2d622c86c724818c66e67
Opcode Fuzzy Hash: ed999fd03a4f2675bde4b4de27a106cd53a0727e50fa65d9aa2146178c3f172e
Instruction Fuzzy Hash: E7D16CB2508304AEC714EBA4D885EBBB7ECAFA9704F04491DF685D7191EB74DA04CB62

Function 001F9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001F9663
GetFileAttributesW.KERNEL32(?), ref: 001F96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001F96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001F96D3
FindClose.KERNEL32(00000000), ref: 001F96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001F96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001F974A
SetCurrentDirectoryW.KERNEL32(00246B7C), ref: 001F9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001F9772
FindClose.KERNEL32(00000000), ref: 001F977F
FindClose.KERNEL32(00000000), ref: 001F978F

Strings

*.*, xrefs: 001F96F5

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 02c168bcab5d3dcdcf89278debfe7f7c3b4e3c203e27381f69565ff2b7238240
Instruction ID: 200fc311155e09c4064743d549cd3a13f1422dce1ab8462bc1749dc1335d4ce3
Opcode Fuzzy Hash: 02c168bcab5d3dcdcf89278debfe7f7c3b4e3c203e27381f69565ff2b7238240
Instruction Fuzzy Hash: 1531BF7654061D6BDB14BFB4EC0CBEE77AC9F1A321F208156FA15E20A0DB30D9448E54

Function 001F979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001F97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001F9819
FindClose.KERNEL32(00000000), ref: 001F9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001F9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001F9890
SetCurrentDirectoryW.KERNEL32(00246B7C), ref: 001F98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001F98B8
FindClose.KERNEL32(00000000), ref: 001F98C5
FindClose.KERNEL32(00000000), ref: 001F98D5

Part of subcall function 001EDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001EDB00

Strings

*.*, xrefs: 001F983B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 169e9eac17367fc76f7047b18668076983179eb726ca147826dd89bb63ed4da4
Instruction ID: 86c9bb200e993ce8fe21576b8dd10586c7719e1b7fdcaf7188803033f7430d99
Opcode Fuzzy Hash: 169e9eac17367fc76f7047b18668076983179eb726ca147826dd89bb63ed4da4
Instruction Fuzzy Hash: 8D31E13554061D6ADB24BFB4EC48BEE37AC9F57360F2481A6FA10A2090DB30DE948A60

Function 0020BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0020C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0020B6AE,?,?), ref: 0020C9B5
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020C9F1
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA68
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0020BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0020BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0020BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0020C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0020C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0020C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0020C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0020C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0020C382
RegCloseKey.ADVAPI32(00000000), ref: 0020C38F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 5f6447daa0af5a2a44a1521e104115373db3dd1cc63fa11c8da18daf951019e9
Instruction ID: 8ce96f9d7d76874dab82d0e281c6a2b5a91bd3fc94499628e62d2ec1b266b083
Opcode Fuzzy Hash: 5f6447daa0af5a2a44a1521e104115373db3dd1cc63fa11c8da18daf951019e9
Instruction Fuzzy Hash: D7026B70614301AFC714DF28C894E2ABBE5EF49308F28859DF84ACB2A2DB31ED55CB51

Function 001F8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001F8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001F8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001F8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001F8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001F8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001F8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001F838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001F8395

Strings

*.*, xrefs: 001F839B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 4538957c4b3dddbc891c57a3946628fb512ff36f230be4c0dbb6d92db74e6c26
Instruction ID: 3faf6d9101fd670f78b4d7b0304539f6e3b9bdcb0261d9885f3bf554d4599f45
Opcode Fuzzy Hash: 4538957c4b3dddbc891c57a3946628fb512ff36f230be4c0dbb6d92db74e6c26
Instruction Fuzzy Hash: DD6189B65083099FCB10EF60D8449AEB3E8FF99314F04891DFA9987251DB31EA45CB92

Function 001ED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00183AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00183A97,?,?,00182E7F,?,?,?,00000000), ref: 00183AC2

Part of subcall function 001EE199: GetFileAttributesW.KERNEL32(?,001ECF95), ref: 001EE19A

FindFirstFileW.KERNEL32(?,?), ref: 001ED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001ED1DD
MoveFileW.KERNEL32(?,?), ref: 001ED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001ED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001ED237

Part of subcall function 001ED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001ED21C,?,?), ref: 001ED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001ED253
FindClose.KERNEL32(00000000), ref: 001ED264

Strings

\*.*, xrefs: 001ED0CD, 001ED0D6, 001ED0EB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3bc9fd1df0a981d0c978ace86f75704cfb964cc44aae5d2f9b9a5a3d5ba13b4e
Instruction ID: fb95d6176ac639bafc28c54ddf8b61791f3003db680c4977abbd1151abe26c7c
Opcode Fuzzy Hash: 3bc9fd1df0a981d0c978ace86f75704cfb964cc44aae5d2f9b9a5a3d5ba13b4e
Instruction Fuzzy Hash: BA61493180514EABCF05EBE1EA929FDB7B5AF25304F648165E40277191EB31AF09CF61

Function 001FED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001FED91
EmptyClipboard.USER32 ref: 001FED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001FEDAC
CloseClipboard.USER32 ref: 001FEEA3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ce61af117eadf08d0890c6e76e0d4387b62f469606b43b0318dfe5409b5f2506
Instruction ID: 83bcf60e571f1243245fd16f250c9ed0f0b60bd8eaa1632092c5a9da78c2f99d
Opcode Fuzzy Hash: ce61af117eadf08d0890c6e76e0d4387b62f469606b43b0318dfe5409b5f2506
Instruction Fuzzy Hash: 1D41CE35204651AFE320DF15E888B69BBE5FF54328F24C099E5158BA72CB35ED42CB90

Function 001EE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001E170D
Part of subcall function 001E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001E173A
Part of subcall function 001E16C3: GetLastError.KERNEL32 ref: 001E174A

ExitWindowsEx.USER32(?,00000000), ref: 001EE932

Strings

SeShutdownPrivilege, xrefs: 001EE902
, xrefs: 001EE95C
, xrefs: 001EE920
@, xrefs: 001EE925

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8d5d9bb68e75577e1c14244a3544d0d357c759fcc448bd878a8ae4379c6e3209
Instruction ID: c6990d969b1bdae1de0dbef9d3f53d82fb5332901489d1305ba48e6da9e3adbd
Opcode Fuzzy Hash: 8d5d9bb68e75577e1c14244a3544d0d357c759fcc448bd878a8ae4379c6e3209
Instruction Fuzzy Hash: C1012B72610651BBEB1866B6AC89FFF72DC9724744F154421FC03E31D3DBA05C4485A0

Function 00201204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00201276
WSAGetLastError.WSOCK32 ref: 00201283
bind.WSOCK32(00000000,?,00000010), ref: 002012BA
WSAGetLastError.WSOCK32 ref: 002012C5
closesocket.WSOCK32(00000000), ref: 002012F4
listen.WSOCK32(00000000,00000005), ref: 00201303
WSAGetLastError.WSOCK32 ref: 0020130D
closesocket.WSOCK32(00000000), ref: 0020133C

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9459866fa6abe1495f5de7945fcd37cf42183aa69e0699c405bd16bd3dc41be1
Instruction ID: b657892dd15f846bc240d49b2719ccb2cbf8ca4f6c1228ba581f219f443446f1
Opcode Fuzzy Hash: 9459866fa6abe1495f5de7945fcd37cf42183aa69e0699c405bd16bd3dc41be1
Instruction Fuzzy Hash: 92419E356002119FD710DF68D4C8B69BBE5AF56318F288088E8568F2D7C771ED91CBE0

Function 001ED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00183AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00183A97,?,?,00182E7F,?,?,?,00000000), ref: 00183AC2

Part of subcall function 001EE199: GetFileAttributesW.KERNEL32(?,001ECF95), ref: 001EE19A

FindFirstFileW.KERNEL32(?,?), ref: 001ED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001ED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001ED481
FindClose.KERNEL32(00000000), ref: 001ED498
FindClose.KERNEL32(00000000), ref: 001ED4A1

Strings

\*.*, xrefs: 001ED3F2

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 183c4d2065f4de196e53f194dcab98dafc73d54b92cd42813f4cdb59ee6f0470
Instruction ID: 9bbb26ab26e3d2c79ea9c4f713418282316304ed236ebc720dfb0fdc3ac8f0c8
Opcode Fuzzy Hash: 183c4d2065f4de196e53f194dcab98dafc73d54b92cd42813f4cdb59ee6f0470
Instruction Fuzzy Hash: 13312D710087859BC305FF65E8958AFB7A8BFB6314F444A1DF8D592191EB30AA09CB63

Function 001BE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001BE645

Strings

1#IND, xrefs: 001BF83D
1#INF, xrefs: 001BF852
1#SNAN, xrefs: 001BF844
1#QNAN, xrefs: 001BF84B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: da72017c4e742426732803ec88bfd2b58abf8f49e0e0332277ff5dfe5cf5db69
Instruction ID: ae5e6d81bf044b7cb88a72d32ee1752148628a292a37d77ea5afb5406a1aa1ff
Opcode Fuzzy Hash: da72017c4e742426732803ec88bfd2b58abf8f49e0e0332277ff5dfe5cf5db69
Instruction Fuzzy Hash: 31C22971E086288FDB29CE28DD447EAB7F5EB49305F1541EAD84DE7241E774AE828F40

Function 001F648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001F64DC
CoInitialize.OLE32(00000000), ref: 001F6639
CoCreateInstance.OLE32(0021FCF8,00000000,00000001,0021FB68,?), ref: 001F6650
CoUninitialize.OLE32 ref: 001F68D4

Strings

.lnk, xrefs: 001F64BA, 001F6524, 001F65E0

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 6953a7180962c418b3e0516a3a3d2965e627cbc9acb18bbf5c92b1d3952167b9
Instruction ID: 863c39607d118833e4540074bf9d6add073512cd8b991ec9a3fda79017a343f5
Opcode Fuzzy Hash: 6953a7180962c418b3e0516a3a3d2965e627cbc9acb18bbf5c92b1d3952167b9
Instruction Fuzzy Hash: 78D15971508305AFC304EF24C89196BB7E8FFA9304F14496DF5959B2A1EB71EE05CBA2

Function 002022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002022E8

Part of subcall function 001FE4EC: GetWindowRect.USER32(?,?), ref: 001FE504

GetDesktopWindow.USER32 ref: 00202312
GetWindowRect.USER32(00000000), ref: 00202319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00202355
GetCursorPos.USER32(?), ref: 00202381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002023DF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 27f5a3de6397e8d2a8988cfa41896fd1e0641b64b7991b0d3c99cf93ed64df23
Instruction ID: 4ee3f98c5c2fe09e2bd9f30bf6b0aa54d9802eba562c7b290871795d021130a8
Opcode Fuzzy Hash: 27f5a3de6397e8d2a8988cfa41896fd1e0641b64b7991b0d3c99cf93ed64df23
Instruction Fuzzy Hash: E6310072504346AFD720DF14D808B9BBBEAFF94314F10491AF984A7182DB34EA18CB92

Function 001F9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001F9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001F9C8B

Part of subcall function 001F3874: GetInputState.USER32 ref: 001F38CB
Part of subcall function 001F3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001F3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001F9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001F9C75

Strings

*.*, xrefs: 001F9B5D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 33547dd3fd4a011f2c6b99e823b6083f74cf5345670cf46d5f157429a4011221
Instruction ID: a779cf163c71ee7577eff00769306be1609b7fb3c81ea6e7cd3c54237fd4e9bf
Opcode Fuzzy Hash: 33547dd3fd4a011f2c6b99e823b6083f74cf5345670cf46d5f157429a4011221
Instruction Fuzzy Hash: C8417C7194420EABCF14EF64C889BEEBBB8EF15310F244056E915A6191EB309F84CFA0

Function 0019997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00199A4E
GetSysColor.USER32(0000000F), ref: 00199B23
SetBkColor.GDI32(?,00000000), ref: 00199B36

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 88274ec89b2c551a81b534f97259713c9ee1c34d2fd7746c70ba15efe64dd483
Instruction ID: d67577f07338af63a793e5be7cb1fe33472081ab8d7a4a8d5c53dbffce310f4b
Opcode Fuzzy Hash: 88274ec89b2c551a81b534f97259713c9ee1c34d2fd7746c70ba15efe64dd483
Instruction Fuzzy Hash: 2EA10270208504BFEF28AA2C9C9DEBB3A9DEB56300B16420EF502D76D1EB259D51C676

Function 00201806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0020304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0020307A
Part of subcall function 0020304E: _wcslen.LIBCMT ref: 0020309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0020185D
WSAGetLastError.WSOCK32 ref: 00201884
bind.WSOCK32(00000000,?,00000010), ref: 002018DB
WSAGetLastError.WSOCK32 ref: 002018E6
closesocket.WSOCK32(00000000), ref: 00201915

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 81b7eb8df0c060e2f36d4e28304854e31995127922fcf1f1528fc67a3a9358e7
Instruction ID: b394a3b7251bd850423dacaf107e77161ff2e0058e49a589a2c1bf3ae76c4375
Opcode Fuzzy Hash: 81b7eb8df0c060e2f36d4e28304854e31995127922fcf1f1528fc67a3a9358e7
Instruction Fuzzy Hash: 10519275A00200AFEB11AF24D88AF6A77E5AB54718F14C09CFA155F3D3C771AE518BA1

Function 00211C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00211CC0
IsWindowEnabled.USER32 ref: 00211CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00211CDB
IsIconic.USER32 ref: 00211CE9
IsZoomed.USER32 ref: 00211CF7

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b888a350a67682818a84a64a3529098cc1bf7864e94d77075ba97720d162e1df
Instruction ID: e210b6ffe89eaba7ce7b137bfbcf196c60141aed2262bd87a45c498329b68325
Opcode Fuzzy Hash: b888a350a67682818a84a64a3529098cc1bf7864e94d77075ba97720d162e1df
Instruction Fuzzy Hash: FE21F9317902015FD7208F1AD844B9A7BE5EFA5314F28806DE945CB351CB71DCA2CBD1

Function 00188060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0018843C
ERCP, xrefs: 0018813C
VUUU, xrefs: 001883E8
VUUU, xrefs: 001C5DF0
VUUU, xrefs: 001883FA

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 369587ffdfd2c7399f5f00952b872b793500e70f788e92d59c2c86ad808a465a
Instruction ID: a72e206837abffd59cdbaa8873cc7cb326fa7adc14bbad563a03d210336ba2c8
Opcode Fuzzy Hash: 369587ffdfd2c7399f5f00952b872b793500e70f788e92d59c2c86ad808a465a
Instruction Fuzzy Hash: 15A27071E0061ACBDF28DF58C940BADB7B2BF64314F6581A9E815A7285EB70DE81CF50

Function 001E8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001E82AA

Strings

tb$, xrefs: 001E84F4
|, xrefs: 001E82DA
(, xrefs: 001E82F0

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb$$|
API String ID: 1659193697-4150371503
Opcode ID: 8fcfb5c9daf9fb52a04537003073710c6a1dc30bf89541323c3399398bb45dd2
Instruction ID: a4c828f95b293aac8a4fd7b15375189c2f9726a512a4ef667beb760213ffb1af
Opcode Fuzzy Hash: 8fcfb5c9daf9fb52a04537003073710c6a1dc30bf89541323c3399398bb45dd2
Instruction Fuzzy Hash: 95322774A00B459FCB28CF59C481A6AB7F1FF48710B15C56EE59ADB3A1EB70E981CB40

Function 001EAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001EAAAC
SetKeyboardState.USER32(00000080), ref: 001EAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001EAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001EAB88

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0d1760404f281b3e62ac1689501df7cefdef98a5deb8a2f29d341d14400e495a
Instruction ID: 723985e74fb5c878c7f2ac180756ecbd099f1ba0d34544b982456ea648a210d2
Opcode Fuzzy Hash: 0d1760404f281b3e62ac1689501df7cefdef98a5deb8a2f29d341d14400e495a
Instruction Fuzzy Hash: 1B314C30A80BC8AEFF34CB66CC05BFE77AAAF54310F94421AF581961D0D774A985C762

Function 001BBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001BBB7F

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

GetTimeZoneInformation.KERNEL32 ref: 001BBB91
WideCharToMultiByte.KERNEL32(00000000,?,0025121C,000000FF,?,0000003F,?,?), ref: 001BBC09
WideCharToMultiByte.KERNEL32(00000000,?,00251270,000000FF,?,0000003F,?,?,?,0025121C,000000FF,?,0000003F,?,?), ref: 001BBC36

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: b2418c24b1a064be35ba3009f6aef5bfe7cf17bfa9d865dee6f833a05c5675bb
Instruction ID: bc7bd416a0061c878238c59a4ec555f46ee96eb96adb2683ea24ef61925d3c4d
Opcode Fuzzy Hash: b2418c24b1a064be35ba3009f6aef5bfe7cf17bfa9d865dee6f833a05c5675bb
Instruction Fuzzy Hash: 7831CF70948215EFCB14DF69EC80AADBBB8FF55310B1446AAE824DB6A1DB709E50CB50

Function 001FCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001FCE89
GetLastError.KERNEL32(?,00000000), ref: 001FCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001FCEFE

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: f966c87b4344906a006d5f5e4bce7fc26fedb24c99d8edf3ebfbc95c83f25104
Instruction ID: c6c98f0329d69cdab6ca791a31d29d14ae0edd3f1f06b299f6956e80f63e8215
Opcode Fuzzy Hash: f966c87b4344906a006d5f5e4bce7fc26fedb24c99d8edf3ebfbc95c83f25104
Instruction Fuzzy Hash: 3B21ACB554070D9BDB20CF65DA48BA6BBF8EB51314F20841AE64692152EB70EA04ABA0

Function 001F5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001F5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 001F5D17
FindClose.KERNEL32(?), ref: 001F5D5F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 11c423388378ca5a474578731c890259683d955f99c15c0fc6f8ab6b0835e6f9
Instruction ID: 650abf9f78a31ccba5ee4ff48b6e845c24a9952f115d9705229b652aa0ce07fa
Opcode Fuzzy Hash: 11c423388378ca5a474578731c890259683d955f99c15c0fc6f8ab6b0835e6f9
Instruction Fuzzy Hash: 8E51BC74604A059FC714DF68D498EA6B7E5FF0A324F14855EEA5A8B3A2CB30ED04CF91

Function 001B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 001B271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001B2724
UnhandledExceptionFilter.KERNEL32(?), ref: 001B2731

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c64c504ac15165c7c096322021e05f125bc1801d4113bbe7779b77919ef9c8a7
Instruction ID: 7aa101c0cb5b4b08120874954da9f86d5dff0f4886abb6edc87e496668c3c8b4
Opcode Fuzzy Hash: c64c504ac15165c7c096322021e05f125bc1801d4113bbe7779b77919ef9c8a7
Instruction Fuzzy Hash: 4731D5749412289BCB21DF68DC887DCB7B8BF18310F5041EAE81CA7261EB309F858F44

Function 001F51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001F51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001F5238
SetErrorMode.KERNEL32(00000000), ref: 001F52A1

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3f3421bd45defc52b201660972736ebbaf415c5006ec12faf9443bad80416b55
Instruction ID: 36ebe8e2457f9cd431d89bd3f8ef8e7fcb54009e98a29f32058c4685eb357fbb
Opcode Fuzzy Hash: 3f3421bd45defc52b201660972736ebbaf415c5006ec12faf9443bad80416b55
Instruction Fuzzy Hash: B9318175A00508DFDB00DF54D888EADBBB5FF09318F188099E909AB352CB31E945CFA0

Function 001E16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0019FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001A0668
Part of subcall function 0019FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001A0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001E170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001E173A
GetLastError.KERNEL32 ref: 001E174A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f666bdb5c8859f4f044993962ee5c85004c6846c1b2a7e171688883e020c2693
Instruction ID: 7191f583dd81a87cd517fe747df65336071576b1f44bba1018fb2c040c4b78e9
Opcode Fuzzy Hash: f666bdb5c8859f4f044993962ee5c85004c6846c1b2a7e171688883e020c2693
Instruction Fuzzy Hash: 6C1191B2814704BFD7189F54EC86DAFB7F9EB48B14B20852EE05697641EB70BC41CA20

Function 001ED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001ED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001ED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001ED650

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 79a88f500601de242db829c531886a55f89a62bad903d9698cc2cd5b56392cd6
Instruction ID: 1c4c6098212aadc7ea0ad1c0dcb2d1551cfcce769aba1d67dc4591d980cb11e5
Opcode Fuzzy Hash: 79a88f500601de242db829c531886a55f89a62bad903d9698cc2cd5b56392cd6
Instruction Fuzzy Hash: E5117C75E41228BBDB108F95AC48FEFBBBCEB49B50F108111F914E7290C6704A018BA1

Function 001E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001E168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001E16A1
FreeSid.ADVAPI32(?), ref: 001E16B1

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2076edca5c3226a2498cfb403281cb2a5c4b7340093ae3ed6745e051214ce2c2
Instruction ID: 631b1fa67918001e7af65149d87ebd9d54c7c3742796dde18c712c80998a428a
Opcode Fuzzy Hash: 2076edca5c3226a2498cfb403281cb2a5c4b7340093ae3ed6745e051214ce2c2
Instruction Fuzzy Hash: E6F0F475990309FBDB00DFE49C89EAEBBBCFB08604F508565E501E2181E774AA448A50

Function 001DD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001DD28C

Strings

X64, xrefs: 001DD2A8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 062ae0f87eb7894573e02fd47167b89fe46f3bf88737f966f782964bbaf06121
Instruction ID: 71f49603fe4815ace901e9e753a1e53d8e2d86385df3dd057c288715f87eac2e
Opcode Fuzzy Hash: 062ae0f87eb7894573e02fd47167b89fe46f3bf88737f966f782964bbaf06121
Instruction Fuzzy Hash: 1BD0C9B480111DEACF98CB90EC88DDAB37CBB14345F114152F146A2100DB3095488F10

Function 001ACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 0030966581f8dc7f1fa3f181a7f9f927b413d55fa5b53604e54983191fd92ae3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 94021C75E002199FDF14CFA9C8806ADFBF1EF59324F25816AD819E7384D731AA418BD4

Function 0018CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#%, xrefs: 0018CF7F
Variable is not of type 'Object'., xrefs: 001D0C40

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#%
API String ID: 0-450323306
Opcode ID: 63a016f30e423d2f6bbe40498d8bc4321e3811bb2ac247ad4618935bb0c8b378
Instruction ID: cad0318311ff89eb44563abd519b3e111d64d106518e6fa24fb6dfdb478edf9f
Opcode Fuzzy Hash: 63a016f30e423d2f6bbe40498d8bc4321e3811bb2ac247ad4618935bb0c8b378
Instruction Fuzzy Hash: 02329B70900218DFDF19EF94D881BEDB7B5BF19304F24805AE906AB292D775AE45CFA0

Function 001F68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001F6918
FindClose.KERNEL32(00000000), ref: 001F6961

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0ada6ae98ac6269af566fa9bc1174091678b8dafbc9d618a6e932eddd5c208d8
Instruction ID: 53fafce5139dfa2928a898c32312c75ff50d16fe194e9befd2e1ae1960ae973d
Opcode Fuzzy Hash: 0ada6ae98ac6269af566fa9bc1174091678b8dafbc9d618a6e932eddd5c208d8
Instruction Fuzzy Hash: B811D0356042009FD710DF29D488A26BBE0FF84328F14C699E9698F2A2CB70EC05CB90

Function 001F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00204891,?,?,00000035,?), ref: 001F37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00204891,?,?,00000035,?), ref: 001F37F4

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 67036c74d1e58efe3bd5732d6a7cbc401b28902300116d1ecaa2166655a97ff5
Instruction ID: 5eef793919db23e587a2ce39f8294c6d2154cb7ac5d99c163cda3e6c6731c26a
Opcode Fuzzy Hash: 67036c74d1e58efe3bd5732d6a7cbc401b28902300116d1ecaa2166655a97ff5
Instruction Fuzzy Hash: D7F0E5B46042282AE72027669C4DFEB3AAEEFC5761F000275F619D2281DBA09944C7B0

Function 001EB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001EB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 001EB270

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 58d61fa07b1bc6db8b2d83ae6fcce1df39ca792afb787d91e0250ad8c846e6ad
Instruction ID: 09dc93b96ca6faf5cd885aff059ff0c2b3658c7a2fc12771bd0fa0b2ff5c5fe6
Opcode Fuzzy Hash: 58d61fa07b1bc6db8b2d83ae6fcce1df39ca792afb787d91e0250ad8c846e6ad
Instruction Fuzzy Hash: C5F01D7584428EABDB059FA1D805BEE7BB4FF04305F108009F955A5191C7799611DF94

Function 001E10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001E11FC), ref: 001E10D4
CloseHandle.KERNEL32(?,?,001E11FC), ref: 001E10E9

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 82ffa3d555c377f60e8febf57efb6fe6b0f4ff6497528e1be7a9bcebabeedb51
Instruction ID: 202b5073e7aaea2fef6a4e17491ab03c68cf79e886f80ea7fd7aad95f4e5d6b3
Opcode Fuzzy Hash: 82ffa3d555c377f60e8febf57efb6fe6b0f4ff6497528e1be7a9bcebabeedb51
Instruction Fuzzy Hash: 9FE0BF76058610BFEB252B51FC09EB777E9EB14310B24C82DF5A5804B1DB626C91DB50

Function 001B676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001B6766,?,?,00000008,?,?,001BFEFE,00000000), ref: 001B6998

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a2d877519da0c6ad57284ff662c52c7f56927c83460b57af5dd46246a8e22a91
Instruction ID: 29a13a4c2cc1e14390cf0d1f0cd8b8080d484fea77cdd4fc4bad312b67a9bb28
Opcode Fuzzy Hash: a2d877519da0c6ad57284ff662c52c7f56927c83460b57af5dd46246a8e22a91
Instruction Fuzzy Hash: 52B14D31510608DFDB19CF28C486BA57BE0FF55364F298658E899CF2A2C739E991CB40

Function 0019B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 001D851F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9b9424c4dd54e37f34b11addd8dcc8dd5da8b5ef3beb26e0fba80351e9f14b69
Instruction ID: 64fa5b7e7d70d4297d13ffc6baa0cb7d1d2bcc6e946fa23d7b2b211ea82d1ac5
Opcode Fuzzy Hash: 9b9424c4dd54e37f34b11addd8dcc8dd5da8b5ef3beb26e0fba80351e9f14b69
Instruction Fuzzy Hash: 36127D71E042299BCF24CF58D9816EEB7F5FF48710F1581AAE849EB251DB309A81DF90

Function 001FEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001FEABD

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 973dd9e1507785859a8f00f24669646e839c813c3311ecbe7da683ea8ded7491
Instruction ID: 10d61b34d374422096a06fc3fd9b0bd401c0f35ba21563d5463d5d7fb5e5fb48
Opcode Fuzzy Hash: 973dd9e1507785859a8f00f24669646e839c813c3311ecbe7da683ea8ded7491
Instruction Fuzzy Hash: CFE04F752002049FD710EF59E844E9AFBEDBFA8760F148416FD49C7361DB70E9408BA0

Function 001A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001A03EE), ref: 001A09DA

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5b0a16c565d55e5864166b456ccbf34a521d275694f9cfb0012d991cde7078ff
Instruction ID: e502ee0e992cf055e097e08056b408c04ef53269bf6ea44a02a944ecec562f1f
Opcode Fuzzy Hash: 5b0a16c565d55e5864166b456ccbf34a521d275694f9cfb0012d991cde7078ff
Instruction Fuzzy Hash:

Function 001A781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 001A798B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 1358f862a56fcbacdb3a7d3e7b5012b6a9d77cc7f9cb00b9241d1a9c0f773f15
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4A51657E60C7056BDB3885288C5EBBF63899B13354F18051AE886D72C3CB19DF05D356

Function 001F2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&%, xrefs: 001F2053

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID: 0&%
API String ID: 0-1408265185
Opcode ID: 5850d15422356935ec434eb6ba042e3fb65c7d1b07c101bffc9edde7aca31018
Instruction ID: bb27767387af403621f5ce4e385f27a8513b16204294ae98ce807be1f25cba13
Opcode Fuzzy Hash: 5850d15422356935ec434eb6ba042e3fb65c7d1b07c101bffc9edde7aca31018
Instruction Fuzzy Hash: E921B7326206158BDB28CF79D82367E73E9A764310F15862EF4A7C37D0DE39A904CB84

Function 001B6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d591bd5ba2b3ba79d9ceb1f00b005b85151f9054e63d7024487c3aaf2f068d
Instruction ID: 43865a847a92aebfe5b47eb059a5aa03539734b0b14dc528c840596c38cafa32
Opcode Fuzzy Hash: b2d591bd5ba2b3ba79d9ceb1f00b005b85151f9054e63d7024487c3aaf2f068d
Instruction Fuzzy Hash: 4F322222D29F019DD7339634DC26335A689AFF73C5F15E737E81AB5AA9EB29C4834100

Function 0019CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9915a8cc1305e7e92670afa25f5755fbff41a07bd0723ad4c0e7fce941423b
Instruction ID: 06bdd91ef785ff83b28a125afb0478a4d0094ed9c0665b25867f805ce99c26dd
Opcode Fuzzy Hash: 8b9915a8cc1305e7e92670afa25f5755fbff41a07bd0723ad4c0e7fce941423b
Instruction Fuzzy Hash: CD320332A401178BDF28CB68C4946BD7BA2EB45314F298D6BD48ACB391E730DD81DBC0

Function 00187920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37703e12e8d58ed4a972ac07b30244a67ee5fa46c417ad85868eefd2195d6803
Instruction ID: 100e5c2283a491264c5ddc23a7adc8b5062f181b777e2b7782661d901f422047
Opcode Fuzzy Hash: 37703e12e8d58ed4a972ac07b30244a67ee5fa46c417ad85868eefd2195d6803
Instruction Fuzzy Hash: B1228070A04609DFDF18DFA4D881BAEB7F6FF54300F244529E816A7291EB35EA51CB50

Function 001891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a6a325026a7891ca23fb3854b2faa1636d6793c891e8bd2c2bdd6341ea91b0
Instruction ID: 7889417426b11ef3f517e9fec82873859838f90b612951d6d54349ab3803c9eb
Opcode Fuzzy Hash: e3a6a325026a7891ca23fb3854b2faa1636d6793c891e8bd2c2bdd6341ea91b0
Instruction Fuzzy Hash: 0D0282B1A00209EBDF04DF64D881BAEB7F5FF64300F158169E816DB291EB31EA51CB95

Function 001B9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046e08ab768522f012381126bc170a300940464dd163478a25bc58d4b17b28e6
Instruction ID: 1079c4b9fbe43c87d52dee7f3524d39cce20a4d65a36d132ed5270e5147706ed
Opcode Fuzzy Hash: 046e08ab768522f012381126bc170a300940464dd163478a25bc58d4b17b28e6
Instruction Fuzzy Hash: 8EB10320D2AF405DC323D6399835336B69CAFBB6D5F91E71BFC1674D22EB2686834180

Function 001A1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a9de0b38592e351c309d09ab2bbafc9f63145b9df204594ba3fbc2f1428f7933
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B391667B1080A35ADB2E467E857807EFFE15A933B1B1A079DD4F2CA1C5FF248958D620

Function 001A1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 686f1ef9de3ce06874746f4879c27d025cd0630c6365a6d67e2f69455bb48706
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 3B91327B2090E34EDB6D463D857443EFEE15A933A171A079EE4F2CA1C5EF348958E620

Function 001A19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: f59e8cfde2b867cb84976ae663e52cdf24c214c7c68cde6879306e23b110ac98
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 12912F7A2090E35ADB2D467A857403EFFF15A933A2B1A079ED4F2CB1C5FF248564D620

Function 001A7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3db3505fa3c263367321eb7658ccfd6145d7fea63fc6b8f9ff9f83f71b7f00
Instruction ID: 575d8710cc219aabc542a85542d1eb2d309db479e6b1158a797ff3a5f915b97a
Opcode Fuzzy Hash: 7d3db3505fa3c263367321eb7658ccfd6145d7fea63fc6b8f9ff9f83f71b7f00
Instruction Fuzzy Hash: 006148BD608709AADA38AA288D95BBF2398DF53710F180919E842DB2C1DB119F428365

Function 001A7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aaf9fecff41ac57c682103ea2bdc51252d039cc3f57866888f2952964a6e005
Instruction ID: a3053552d4baa31aa07efe15392c634bce19caa974300605a66726d280c3273a
Opcode Fuzzy Hash: 9aaf9fecff41ac57c682103ea2bdc51252d039cc3f57866888f2952964a6e005
Instruction Fuzzy Hash: 8961BB3D60870967DF395AA85CA5BBF2388EF53754F100859E843CB2C1EB22EF428355

Function 001A1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 035ac50aa114b85376c7ff6d9588af1ce9923408151ea6b464ac3dd00aee8d0f
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A881967B6080A31DDB6D427A853403EFFE15A933A5B1A079ED4F2CB1C1EF24C954E620

Function 00202ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00202B30
DeleteObject.GDI32(00000000), ref: 00202B43
DestroyWindow.USER32 ref: 00202B52
GetDesktopWindow.USER32 ref: 00202B6D
GetWindowRect.USER32(00000000), ref: 00202B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00202CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00202CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202CF8
GetClientRect.USER32(00000000,?), ref: 00202D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00202D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202D80
GlobalLock.KERNEL32(00000000), ref: 00202D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202D98
GlobalUnlock.KERNEL32(00000000), ref: 00202DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202DA8
GlobalFree.KERNEL32(00000000), ref: 00202DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0021FC38,00000000), ref: 00202DDB
GlobalFree.KERNEL32(00000000), ref: 00202DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00202E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00202E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020303F

Strings

AutoIt v3, xrefs: 00202CF2
static, xrefs: 00202D3A, 00202E91
, xrefs: 00202FC5
DISPLAY, xrefs: 00202EA2

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ab0935688946846bd5732f16389e7f52005029418fcb413f5b5190dd0c7bab88
Instruction ID: 11a86f3bbc9c80ae1fe1bf4eb7cd76436342fb4e6a03df9b973cdfdcf8511374
Opcode Fuzzy Hash: ab0935688946846bd5732f16389e7f52005029418fcb413f5b5190dd0c7bab88
Instruction Fuzzy Hash: 82029A75910209EFDB14DFA4DC8DEAE7BB9EB49710F208159F915AB2A1CB70AD01CF60

Function 002170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0021712F
GetSysColorBrush.USER32(0000000F), ref: 00217160
GetSysColor.USER32(0000000F), ref: 0021716C
SetBkColor.GDI32(?,000000FF), ref: 00217186
SelectObject.GDI32(?,?), ref: 00217195
InflateRect.USER32(?,000000FF,000000FF), ref: 002171C0
GetSysColor.USER32(00000010), ref: 002171C8
CreateSolidBrush.GDI32(00000000), ref: 002171CF
FrameRect.USER32(?,?,00000000), ref: 002171DE
DeleteObject.GDI32(00000000), ref: 002171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00217230
FillRect.USER32(?,?,?), ref: 00217262
GetWindowLongW.USER32(?,000000F0), ref: 00217284

Part of subcall function 002173E8: GetSysColor.USER32(00000012), ref: 00217421
Part of subcall function 002173E8: SetTextColor.GDI32(?,?), ref: 00217425
Part of subcall function 002173E8: GetSysColorBrush.USER32(0000000F), ref: 0021743B
Part of subcall function 002173E8: GetSysColor.USER32(0000000F), ref: 00217446
Part of subcall function 002173E8: GetSysColor.USER32(00000011), ref: 00217463
Part of subcall function 002173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00217471
Part of subcall function 002173E8: SelectObject.GDI32(?,00000000), ref: 00217482
Part of subcall function 002173E8: SetBkColor.GDI32(?,00000000), ref: 0021748B
Part of subcall function 002173E8: SelectObject.GDI32(?,?), ref: 00217498
Part of subcall function 002173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002174B7
Part of subcall function 002173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002174CE
Part of subcall function 002173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002174DB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 7ad330e08580c6996a99897f4986606ec204a9684c4569e76f1edaa9c05ba560
Instruction ID: 7283d4f528a5314b82256888039a5116f59e2d5162a5c9420f975a353b430b41
Opcode Fuzzy Hash: 7ad330e08580c6996a99897f4986606ec204a9684c4569e76f1edaa9c05ba560
Instruction Fuzzy Hash: 0AA1B076058301BFDB009F60EC4CA9B7BF9FB98320F204A19F966A61E0DB70E945CB51

Function 00198D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00198E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 001D6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001D6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001D6F43

Part of subcall function 00198F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00198BE8,?,00000000,?,?,?,?,00198BBA,00000000,?), ref: 00198FC5

SendMessageW.USER32(?,00001053), ref: 001D6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001D6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 001D6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 001D6FB7

Strings

0, xrefs: 001D6DCF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 825959595e82e3f82f883393e00fca7f5bbe8924a35dcf10ecd504895545ec9b
Instruction ID: 929074453c68b3caebf6706305a75e8bdb5d1363296acb88bf21fccaa8a4dd6f
Opcode Fuzzy Hash: 825959595e82e3f82f883393e00fca7f5bbe8924a35dcf10ecd504895545ec9b
Instruction Fuzzy Hash: A712BD34600611EFDB25CF28E898BBAB7E5FB55301F24856AF4958B261CB31EC51CF91

Function 00202711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0020273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0020286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00202900
GetClientRect.USER32(00000000,?), ref: 0020290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00202955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00202964
GetStockObject.GDI32(00000011), ref: 00202974
SelectObject.GDI32(00000000,00000000), ref: 00202978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00202988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00202991
DeleteDC.GDI32(00000000), ref: 0020299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00202A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00202A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00202A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00202A77
GetStockObject.GDI32(00000011), ref: 00202A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00202A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00202A97

Strings

msctls_progress32, xrefs: 00202A13
AutoIt v3, xrefs: 002028F8
static, xrefs: 0020294F, 00202A71
DISPLAY, xrefs: 0020295A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9fcf96532ab4a743d4ada18a98d731edaf5022bb05451fdbaf6bc45be262b18b
Instruction ID: b10b85b4d2711d865679d81cd1a796f551a7b07d2fed912c74cdd0dd515c95a6
Opcode Fuzzy Hash: 9fcf96532ab4a743d4ada18a98d731edaf5022bb05451fdbaf6bc45be262b18b
Instruction Fuzzy Hash: C6B18B75A40205BFEB14DF68DC89FAEBBA9EB08710F108155F914E72E1DB70AD10CBA4

Function 001F4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001F4AED
GetDriveTypeW.KERNEL32(?,0021CB68,?,\\.\,0021CC08), ref: 001F4BCA
SetErrorMode.KERNEL32(00000000,0021CB68,?,\\.\,0021CC08), ref: 001F4D36

Strings

iSCSI, xrefs: 001F4CC2
FileBackedVirtual, xrefs: 001F4CEC
RAMDisk, xrefs: 001F4BF4
Fixed, xrefs: 001F4C09
SSA, xrefs: 001F4CA6
Unknown, xrefs: 001F4BED, 001F4C83
Network, xrefs: 001F4C02
Fibre, xrefs: 001F4CAD
\\.\, xrefs: 001F4B3F
PhysicalDrive, xrefs: 001F4B76
SAS, xrefs: 001F4CC9
MMC, xrefs: 001F4CDE
USB, xrefs: 001F4CB4
ATAPI, xrefs: 001F4C91
CDROM, xrefs: 001F4BFB
1394, xrefs: 001F4C9F
SSD, xrefs: 001F4C4A
Removable, xrefs: 001F4C10, 001F4C15
SCSI, xrefs: 001F4C8A
RAID, xrefs: 001F4CBB
SATA, xrefs: 001F4CD0
ATA, xrefs: 001F4C98
Virtual, xrefs: 001F4CE5

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 05b2bc82df63791c05e1693abca924aca5cd608a1045a5a2ecacaed7ce243cfc
Instruction ID: a081f4bcee2141af42244455b7b9b391dfbadc1ef799107d48fc5f4f001f115f
Opcode Fuzzy Hash: 05b2bc82df63791c05e1693abca924aca5cd608a1045a5a2ecacaed7ce243cfc
Instruction Fuzzy Hash: EB61F630B0520DDBCB0CEF64C989DBE77B0AF56710B249015F906AB692CB32DE52DB52

Function 002173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00217421
SetTextColor.GDI32(?,?), ref: 00217425
GetSysColorBrush.USER32(0000000F), ref: 0021743B
GetSysColor.USER32(0000000F), ref: 00217446
CreateSolidBrush.GDI32(?), ref: 0021744B
GetSysColor.USER32(00000011), ref: 00217463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00217471
SelectObject.GDI32(?,00000000), ref: 00217482
SetBkColor.GDI32(?,00000000), ref: 0021748B
SelectObject.GDI32(?,?), ref: 00217498
InflateRect.USER32(?,000000FF,000000FF), ref: 002174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0021752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00217554
InflateRect.USER32(?,000000FD,000000FD), ref: 00217572
DrawFocusRect.USER32(?,?), ref: 0021757D
GetSysColor.USER32(00000011), ref: 0021758E
SetTextColor.GDI32(?,00000000), ref: 00217596
DrawTextW.USER32(?,002170F5,000000FF,?,00000000), ref: 002175A8
SelectObject.GDI32(?,?), ref: 002175BF
DeleteObject.GDI32(?), ref: 002175CA
SelectObject.GDI32(?,?), ref: 002175D0
DeleteObject.GDI32(?), ref: 002175D5
SetTextColor.GDI32(?,?), ref: 002175DB
SetBkColor.GDI32(?,?), ref: 002175E5

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: cab52c6ae989d727bf9622655fe9ba264d7a2868c3d980e6e6e60f80e483c250
Instruction ID: d98e48c9a7bebf427d172edd166da1b1fc3fe17b45b7a41e1ccbbcef91c6cfe6
Opcode Fuzzy Hash: cab52c6ae989d727bf9622655fe9ba264d7a2868c3d980e6e6e60f80e483c250
Instruction Fuzzy Hash: CC616E76940219BFDF019FA4EC49AEE7FB9EB58320F218115F915BB2A1DB709940CF90

Function 00210FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00211128
GetDesktopWindow.USER32 ref: 0021113D
GetWindowRect.USER32(00000000), ref: 00211144
GetWindowLongW.USER32(?,000000F0), ref: 00211199
DestroyWindow.USER32(?), ref: 002111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0021120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0021121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00211232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00211245
IsWindowVisible.USER32(00000000), ref: 002112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002112D0
GetWindowRect.USER32(00000000,?), ref: 002112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0021130E
GetMonitorInfoW.USER32(00000000,?), ref: 00211328
CopyRect.USER32(?,?), ref: 0021133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002113AA

Strings

(, xrefs: 0021131B
0, xrefs: 002110D3
tooltips_class32, xrefs: 002111E6

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f87806654e842c7be96eca0c5037e1baa6e1cbf3524ab83ae091b36130297118
Instruction ID: 775aeadc9af1374bc2ae7c34e4d55ae1874316f7dfdf48825324053495c2e292
Opcode Fuzzy Hash: f87806654e842c7be96eca0c5037e1baa6e1cbf3524ab83ae091b36130297118
Instruction Fuzzy Hash: 0CB19F71618341AFD704DF64D884BAABBE4FF94350F00891CFA999B2A1CB71D8A4CF91

Function 00198891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00198968
GetSystemMetrics.USER32(00000007), ref: 00198970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0019899B
GetSystemMetrics.USER32(00000008), ref: 001989A3
GetSystemMetrics.USER32(00000004), ref: 001989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00198A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00198A3C
GetClientRect.USER32(00000000,000000FF), ref: 00198A5A
GetStockObject.GDI32(00000011), ref: 00198A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00198A81

Part of subcall function 0019912D: GetCursorPos.USER32(?), ref: 00199141
Part of subcall function 0019912D: ScreenToClient.USER32(00000000,?), ref: 0019915E
Part of subcall function 0019912D: GetAsyncKeyState.USER32(00000001), ref: 00199183
Part of subcall function 0019912D: GetAsyncKeyState.USER32(00000002), ref: 0019919D

SetTimer.USER32(00000000,00000000,00000028,001990FC), ref: 00198AA8

Strings

AutoIt v3 GUI, xrefs: 00198A20

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: dce8ed53dcd155220f692687730c95d22836902ea1a22d8ed6839396175e6ee6
Instruction ID: 015f677011aa8c38bfe3c1e5d91f688adea613c4cac1438333b49cd76d365f37
Opcode Fuzzy Hash: dce8ed53dcd155220f692687730c95d22836902ea1a22d8ed6839396175e6ee6
Instruction Fuzzy Hash: 0BB18B75A40209AFDF14DFA8DC49BEE3BB5FB58315F10422AFA15AB290DB34E850CB54

Function 001E0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001E1114
Part of subcall function 001E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1120
Part of subcall function 001E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E112F
Part of subcall function 001E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1136
Part of subcall function 001E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001E0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001E0E29
GetLengthSid.ADVAPI32(?), ref: 001E0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001E0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001E0E96
GetLengthSid.ADVAPI32(?), ref: 001E0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001E0EB5
HeapAlloc.KERNEL32(00000000), ref: 001E0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001E0EDD
CopySid.ADVAPI32(00000000), ref: 001E0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001E0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001E0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001E0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0F6E
HeapFree.KERNEL32(00000000), ref: 001E0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0F7E
HeapFree.KERNEL32(00000000), ref: 001E0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0F8E
HeapFree.KERNEL32(00000000), ref: 001E0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001E0FA1
HeapFree.KERNEL32(00000000), ref: 001E0FA8

Part of subcall function 001E1193: GetProcessHeap.KERNEL32(00000008,001E0BB1,?,00000000,?,001E0BB1,?), ref: 001E11A1
Part of subcall function 001E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001E0BB1,?), ref: 001E11A8
Part of subcall function 001E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001E0BB1,?), ref: 001E11B7

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b60bc3ab26acbc892dc0e562d331a3f1af28eb1c173059682fe3dbf17bf793b4
Instruction ID: c3d00cb842b1ee2bea78e3114a18580e01f4be7793d3428b742683c064a64b20
Opcode Fuzzy Hash: b60bc3ab26acbc892dc0e562d331a3f1af28eb1c173059682fe3dbf17bf793b4
Instruction Fuzzy Hash: 5471AE7590024AABDF21DFA5EC48FEEBBB8BF18300F148125F918E6191DB719D55CB60

Function 0020C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0020C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0021CC08,00000000,?,00000000,?,?), ref: 0020C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0020C5A4
_wcslen.LIBCMT ref: 0020C5F4
_wcslen.LIBCMT ref: 0020C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0020C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0020C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0020C84D
RegCloseKey.ADVAPI32(?), ref: 0020C881
RegCloseKey.ADVAPI32(00000000), ref: 0020C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0020C960

Strings

REG_QWORD, xrefs: 0020C8C3
REG_MULTI_SZ, xrefs: 0020C6F5
REG_DWORD, xrefs: 0020C804
REG_BINARY, xrefs: 0020C913
REG_SZ, xrefs: 0020C644
REG_EXPAND_SZ, xrefs: 0020C5CD

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 6bbb49a1b5749ddc7473b1cb6211e091c96ce2634e4fa4a68dde67f41197be6f
Instruction ID: 4f54fb26427e32e769c7ef52fd44467ea5c701911368fe4f5e76f96044fe99b1
Opcode Fuzzy Hash: 6bbb49a1b5749ddc7473b1cb6211e091c96ce2634e4fa4a68dde67f41197be6f
Instruction Fuzzy Hash: B81266752142019FDB14EF14D881A2ABBE5FF88714F24895CF89A9B3A2DB31ED41CB91

Function 0021091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002109C6
_wcslen.LIBCMT ref: 00210A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00210A54
_wcslen.LIBCMT ref: 00210A8A
_wcslen.LIBCMT ref: 00210B06
_wcslen.LIBCMT ref: 00210B81

Part of subcall function 0019F9F2: _wcslen.LIBCMT ref: 0019F9FD

Part of subcall function 001E2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001E2BFA

Strings

UNCHECK, xrefs: 00210D3E
GETSELECTED, xrefs: 00210C4E
EXPAND, xrefs: 00210BF8
COLLAPSE, xrefs: 00210B01, 00210B1C
GETTEXT, xrefs: 00210C97
GETITEMCOUNT, xrefs: 00210C1E
ISCHECKED, xrefs: 00210CE1
GETTOTALCOUNT, xrefs: 002109F2, 00210A17
EXISTS, xrefs: 00210B7C, 00210B97
SELECT, xrefs: 00210D11
CHECK, xrefs: 00210A85, 00210AA0

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 3f42dd62258f29d4111f5a695ab2855799d83108a7ebba6e06ad4868daa6df63
Instruction ID: 5f1a811b01bd97558bf81a92654316c5c5b34885632836367b2b583bce62218f
Opcode Fuzzy Hash: 3f42dd62258f29d4111f5a695ab2855799d83108a7ebba6e06ad4868daa6df63
Instruction Fuzzy Hash: A7E1C2352287028FC714EF24C49096EB7E1FFA8318B14495DF8959B3A2D770EE95CB91

Function 0020C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0020B6AE,?,?), ref: 0020C9B5
_wcslen.LIBCMT ref: 0020C9F1
_wcslen.LIBCMT ref: 0020CA68
_wcslen.LIBCMT ref: 0020CA9E
_wcslen.LIBCMT ref: 0020CAF9
_wcslen.LIBCMT ref: 0020CB2F
_wcslen.LIBCMT ref: 0020CB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 0020CB79, 0020CB7E
HKU, xrefs: 0020CBF0
HKEY_CURRENT_USER, xrefs: 0020CBBD
HKCR, xrefs: 0020CB29, 0020CB2E
HKCC, xrefs: 0020CBAC
HKEY_USERS, xrefs: 0020CBDF
HKCU, xrefs: 0020CBCE
HKEY_LOCAL_MACHINE, xrefs: 0020CA62, 0020CA67
HKLM, xrefs: 0020CA98, 0020CA9D
HKEY_CLASSES_ROOT, xrefs: 0020CAF3, 0020CAF8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f5d595a2d6b6835bc6871577f78794ddfead7dc59b4c3e89df4ecc5603ced536
Instruction ID: 2cb29674b33ff7df71b6977a7cbcb16e3e95c187472c5639d938f3f6372aace5
Opcode Fuzzy Hash: f5d595a2d6b6835bc6871577f78794ddfead7dc59b4c3e89df4ecc5603ced536
Instruction Fuzzy Hash: F871F5B263026B8BCB10DF68C8415BB3395AB71758B750729FC66972C6E770CD65C3A0

Function 0021833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021835A
_wcslen.LIBCMT ref: 0021836E
_wcslen.LIBCMT ref: 00218391
_wcslen.LIBCMT ref: 002183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0021361A,?), ref: 0021844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00218487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00218501
FreeLibrary.KERNEL32(?), ref: 0021850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0021851D
DestroyIcon.USER32(?), ref: 0021852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00218549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00218555

Strings

.icl, xrefs: 00218368
.exe, xrefs: 00218388
.dll, xrefs: 002183AB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a12915a7dab418be1113de151883e9b1afd18638a29345306d418d5a67f927f8
Instruction ID: 173934c67da0499232269defff9aa4e769352abf3518e7daee83a548a46d22c3
Opcode Fuzzy Hash: a12915a7dab418be1113de151883e9b1afd18638a29345306d418d5a67f927f8
Instruction Fuzzy Hash: 0661C171550216BBEB14DF64DC85BFE77A8FB28711F104609F815D60D1DFB4AAA0CBA0

Function 00187778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00187847
#ce, xrefs: 001878ED
#OnAutoItStartRegister, xrefs: 00187817
#include-once, xrefs: 0018782F
#notrayicon, xrefs: 001877E7
Cannot parse #include, xrefs: 001C5279
#pragma compile, xrefs: 001877D3
Unterminated group of comments, xrefs: 001C528C
#cs, xrefs: 00187873, 001878C5
#requireadmin, xrefs: 001877FF
#comments-end, xrefs: 001878D9
Bad directive syntax error, xrefs: 001C519A
#comments-start, xrefs: 0018785F, 001878B1
', xrefs: 001C5169
", xrefs: 001C5153

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 45912a27f1a1d3e64087e19233a0d04d18e0f76342af88bbe319a8398e853975
Instruction ID: d8e42c05ff09e03f5db34a81237c34a68d09b723cacda57ef3f1b1222e7d8562
Opcode Fuzzy Hash: 45912a27f1a1d3e64087e19233a0d04d18e0f76342af88bbe319a8398e853975
Instruction Fuzzy Hash: DF81E571644605BBDB24BF60DC46FAE77B9AF36300F144029F805AA1D6EB70DB91CBA1

Function 001F3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001F3EF8
_wcslen.LIBCMT ref: 001F3F03
_wcslen.LIBCMT ref: 001F3F5A
_wcslen.LIBCMT ref: 001F3F98
GetDriveTypeW.KERNEL32(?), ref: 001F3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001F401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001F4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001F4087

Strings

open, xrefs: 001F3F54, 001F3F59
wait, xrefs: 001F4044
close, xrefs: 001F3EFE, 001F3F18
close cd wait, xrefs: 001F4072
type cdaudio alias cd wait, xrefs: 001F4001
open , xrefs: 001F3FE5
set cd door , xrefs: 001F4028
closed, xrefs: 001F3F08, 001F3F2D, 001F3F46, 001F3F7E, 001F3F97

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 5469e9e02598372eafa56a16c7b0385b8daad961a5f55c3f55410125e504e1d3
Instruction ID: 57b3e42d43c494c09d242263728daba70f2550b65077d34b01e4bac14b32cca0
Opcode Fuzzy Hash: 5469e9e02598372eafa56a16c7b0385b8daad961a5f55c3f55410125e504e1d3
Instruction Fuzzy Hash: 1571A0316042069FC314EF24C88587BB7F4EFA5758F10492DFAA697291EB31DE45CB92

Function 001E5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001E5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001E5A40
SetWindowTextW.USER32(?,?), ref: 001E5A57
GetDlgItem.USER32(?,000003EA), ref: 001E5A6C
SetWindowTextW.USER32(00000000,?), ref: 001E5A72
GetDlgItem.USER32(?,000003E9), ref: 001E5A82
SetWindowTextW.USER32(00000000,?), ref: 001E5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001E5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001E5AC3
GetWindowRect.USER32(?,?), ref: 001E5ACC
_wcslen.LIBCMT ref: 001E5B33
SetWindowTextW.USER32(?,?), ref: 001E5B6F
GetDesktopWindow.USER32 ref: 001E5B75
GetWindowRect.USER32(00000000), ref: 001E5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001E5BD3
GetClientRect.USER32(?,?), ref: 001E5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001E5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001E5C2F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5ba2fa9d3e5965ca9a1e92144a52e44d2519dec0941cf1d1dfbcf351599de794
Instruction ID: caaff36315d8aec9941105080d344abbb14ec964644419c84bdd54ef9861b7ef
Opcode Fuzzy Hash: 5ba2fa9d3e5965ca9a1e92144a52e44d2519dec0941cf1d1dfbcf351599de794
Instruction Fuzzy Hash: 6D717035900B45AFDB24DFA9CE89BAEBBF6FF48708F104518E542A35A0DB75E940CB50

Function 001FFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001FFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 001FFE32
LoadCursorW.USER32(00000000,00007F00), ref: 001FFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 001FFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 001FFE53
LoadCursorW.USER32(00000000,00007F01), ref: 001FFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 001FFE69
LoadCursorW.USER32(00000000,00007F88), ref: 001FFE74
LoadCursorW.USER32(00000000,00007F80), ref: 001FFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 001FFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 001FFE95
LoadCursorW.USER32(00000000,00007F85), ref: 001FFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 001FFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 001FFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 001FFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 001FFECC
GetCursorInfo.USER32(?), ref: 001FFEDC
GetLastError.KERNEL32 ref: 001FFF1E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 928007d29c2121380bf3002143378fd13bacea4733d00aab0d8c9cded6f17977
Instruction ID: dd1475c2587451a1a52d1c7e8a2388abe053e3f221b706d3abc7edced409dad1
Opcode Fuzzy Hash: 928007d29c2121380bf3002143378fd13bacea4733d00aab0d8c9cded6f17977
Instruction Fuzzy Hash: 894165B0D443196ADB10DFBA9C8986EBFE8FF04354B50452AF11DE7281DB789901CF91

Function 001E30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001E318D
_wcslen.LIBCMT ref: 001E31F8

Strings

CLASSNN, xrefs: 001E31F3, 001E3204
CLASS, xrefs: 001E3188, 001E31A5
NAME, xrefs: 001E3335, 001E3346
REGEXPCLASS, xrefs: 001E3255, 001E3266
[$, xrefs: 001E339A
TEXT, xrefs: 001E347C
INSTANCE, xrefs: 001E3453

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[$
API String ID: 176396367-3695031215
Opcode ID: 9b7439fdbc4f21546c532f07f63971521129aad4ce0c6b152bb4808af01178e8
Instruction ID: feaba054faba7d498f8d542666546f7e5448c0c0859d06425ceb21881bc181a3
Opcode Fuzzy Hash: 9b7439fdbc4f21546c532f07f63971521129aad4ce0c6b152bb4808af01178e8
Instruction Fuzzy Hash: 97E10732A00956ABCB189F75C449BEEF7B0BF54710F558129E466E7280DB30AF85CB90

Function 001A00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001A00C6

Part of subcall function 001A00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0025070C,00000FA0,C7F0A712,?,?,?,?,001C23B3,000000FF), ref: 001A011C
Part of subcall function 001A00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001C23B3,000000FF), ref: 001A0127
Part of subcall function 001A00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001C23B3,000000FF), ref: 001A0138
Part of subcall function 001A00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001A014E
Part of subcall function 001A00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001A015C
Part of subcall function 001A00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001A016A
Part of subcall function 001A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001A0195
Part of subcall function 001A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001A01A0

___scrt_fastfail.LIBCMT ref: 001A00E7

Part of subcall function 001A00A3: __onexit.LIBCMT ref: 001A00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 001A0122
InitializeConditionVariable, xrefs: 001A0148
SleepConditionVariableCS, xrefs: 001A0154
kernel32.dll, xrefs: 001A0133
WakeAllConditionVariable, xrefs: 001A0162

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b67c00143843f2a2a73b2b4684eeeb586ee29a41872b1b140cbcf8f841ecd160
Instruction ID: ea8a5098cd6359e55bd307cba1ab5278e5ffb62bf60ae18ae6e4e433fd565080
Opcode Fuzzy Hash: b67c00143843f2a2a73b2b4684eeeb586ee29a41872b1b140cbcf8f841ecd160
Instruction Fuzzy Hash: 9721073AA847017BD7125B64BD4ABEA73E4EB2FB51F114129F805D2291DF70DC408A94

Function 001F44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0021CC08), ref: 001F4527
_wcslen.LIBCMT ref: 001F453B
_wcslen.LIBCMT ref: 001F4599
_wcslen.LIBCMT ref: 001F45F4
_wcslen.LIBCMT ref: 001F463F
_wcslen.LIBCMT ref: 001F46A7

Part of subcall function 0019F9F2: _wcslen.LIBCMT ref: 0019F9FD

GetDriveTypeW.KERNEL32(?,00246BF0,00000061), ref: 001F4743

Strings

network, xrefs: 001F469D, 001F46A2
all, xrefs: 001F4531, 001F4536
cdrom, xrefs: 001F458F, 001F4594
removable, xrefs: 001F45EA, 001F45EF
ramdisk, xrefs: 001F46F1
unknown, xrefs: 001F4708
fixed, xrefs: 001F4635, 001F463A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f2b8e2e078945b9853fe25b41a43b6a629b3dbcc616c5c26802d0e0625808db1
Instruction ID: 88734fd0d3b08324325974fb0efd7578de5fcf7997eea74abe1db6559e84a143
Opcode Fuzzy Hash: f2b8e2e078945b9853fe25b41a43b6a629b3dbcc616c5c26802d0e0625808db1
Instruction Fuzzy Hash: BCB122316083069FC714EF28C890A7BB7E5BFA6724F504A1DF696C7291E730D945CB92

Function 0021911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

DragQueryPoint.SHELL32(?,?), ref: 00219147

Part of subcall function 00217674: ClientToScreen.USER32(?,?), ref: 0021769A
Part of subcall function 00217674: GetWindowRect.USER32(?,?), ref: 00217710
Part of subcall function 00217674: PtInRect.USER32(?,?,00218B89), ref: 00217720

SendMessageW.USER32(?,000000B0,?,?), ref: 002191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00219225
SendMessageW.USER32(?,000000B0,?,?), ref: 0021923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00219255
SendMessageW.USER32(?,000000B1,?,?), ref: 00219277
DragFinish.SHELL32(?), ref: 0021927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00219371

Strings

@GUI_DRAGFILE, xrefs: 00219320
p#%, xrefs: 002192BB
@GUI_DRAGID, xrefs: 002192E9
@GUI_DROPID, xrefs: 0021929E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#%
API String ID: 221274066-994965530
Opcode ID: ad7a1a64adb3b9b02b1ade43f72ce423a1a0f9d5df51fe384fc59167a188c36e
Instruction ID: 45293c142d71dea6fccd92c0e40de30787bd2ab616538e1676374dbff927cdbe
Opcode Fuzzy Hash: ad7a1a64adb3b9b02b1ade43f72ce423a1a0f9d5df51fe384fc59167a188c36e
Instruction Fuzzy Hash: 09619E71108301AFD705EF64DC89DAFBBE8EFA9350F10092EF595931A0DB309A58CB92

Function 00203FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0021CC08), ref: 002040BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002040CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0021CC08), ref: 002040F2
FreeLibrary.KERNEL32(00000000,?,0021CC08), ref: 0020413E
StringFromGUID2.OLE32(?,?,00000028,?,0021CC08), ref: 002041A8
SysFreeString.OLEAUT32(00000009), ref: 00204262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002042C8
SysFreeString.OLEAUT32(?), ref: 002042F2

Strings

kernel32.dll, xrefs: 002040B6
GetModuleHandleExW, xrefs: 002040C7

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 05813cbb767c303f3228b3e3fdc4621e6ab646b9222e5e01ecc7719ea6d1ad3c
Instruction ID: 3c9c89bc1f6e5b1e352932a6ed9dca517dec17fa12a50e49ba77c8b8fa6eefc1
Opcode Fuzzy Hash: 05813cbb767c303f3228b3e3fdc4621e6ab646b9222e5e01ecc7719ea6d1ad3c
Instruction Fuzzy Hash: 84124EB5A10215EFDB14EF54C884EAEB7B5FF45314F24C098EA05AB292C771ED52CBA0

Function 0018326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00251990), ref: 001C2F8D
GetMenuItemCount.USER32(00251990), ref: 001C303D
GetCursorPos.USER32(?), ref: 001C3081
SetForegroundWindow.USER32(00000000), ref: 001C308A
TrackPopupMenuEx.USER32(00251990,00000000,?,00000000,00000000,00000000), ref: 001C309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001C30A9

Strings

0, xrefs: 0018327D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2d8bfab2a43373d42892f33309e7ee49172971ebce0e245d3e921f1625cefbde
Instruction ID: ba2a10c72d03c9c0859e3fe1bba9dfbe9518cd95e74c7e33aad3fb06e64fc2e2
Opcode Fuzzy Hash: 2d8bfab2a43373d42892f33309e7ee49172971ebce0e245d3e921f1625cefbde
Instruction Fuzzy Hash: 97715C71644209BFEB259F68DC49FAABF65FF21724F24421AF524661E0C7B1ED10CB90

Function 00216CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00216DEB

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00216E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00216E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00216E94
DestroyWindow.USER32(?), ref: 00216EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00180000,00000000), ref: 00216EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00216EFD
GetDesktopWindow.USER32 ref: 00216F16
GetWindowRect.USER32(00000000), ref: 00216F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00216F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00216F4D

Part of subcall function 00199944: GetWindowLongW.USER32(?,000000EB), ref: 00199952

Strings

0, xrefs: 00216D98
tooltips_class32, xrefs: 00216E58, 00216EDD

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 336d181263bf777b0b35a37016be3c012439d27c6f9075c5b07ed5c6e4956774
Instruction ID: c39040d99a0b494feffe4b2fa9579947b88ce4ef2baccd61ded519331f0cd259
Opcode Fuzzy Hash: 336d181263bf777b0b35a37016be3c012439d27c6f9075c5b07ed5c6e4956774
Instruction Fuzzy Hash: 19719774240341AFDB24CF18EC48FAABBE9FBA8304F14451DF99987260CB70E966CB11

Function 001FC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001FC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001FC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001FC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001FC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001FC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001FC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001FC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001FC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001FC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001FC5F0
InternetCloseHandle.WININET(00000000), ref: 001FC5FB

Strings

, xrefs: 001FC575

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d4f9c6050cc50270ec8de1c6945ef338fe84f7b8f78a3e63492067aa829005b0
Instruction ID: f2ec06b17060f192951cbc5af4971b83ec88fe1ae722564a5fac36835d8cc7f9
Opcode Fuzzy Hash: d4f9c6050cc50270ec8de1c6945ef338fe84f7b8f78a3e63492067aa829005b0
Instruction Fuzzy Hash: 0E516FB464020DBFDB218F60DA48ABB7BBCFF18354F14841AFA4596250DB71E905EBA0

Function 0021856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00218592
GetFileSize.KERNEL32(00000000,00000000), ref: 002185A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 002185AD
CloseHandle.KERNEL32(00000000), ref: 002185BA
GlobalLock.KERNEL32(00000000), ref: 002185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002185D7
GlobalUnlock.KERNEL32(00000000), ref: 002185E0
CloseHandle.KERNEL32(00000000), ref: 002185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 002185F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0021FC38,?), ref: 00218611
GlobalFree.KERNEL32(00000000), ref: 00218621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00218641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00218671
DeleteObject.GDI32(00000000), ref: 00218699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002186AF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b1c46a980bffd8c73c26fb4d78dc226c6fc483506f5fe9c134450d2299141fc5
Instruction ID: 5967bc62277b47ec1f826173aba58d5ff78994fcee9d92b6cb573fe2b628fc28
Opcode Fuzzy Hash: b1c46a980bffd8c73c26fb4d78dc226c6fc483506f5fe9c134450d2299141fc5
Instruction Fuzzy Hash: 08412975640209BFDB119FA5DC8CEEA7BBDEFA9711F208058F909E7260DB709941CB60

Function 001F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001F1502
VariantCopy.OLEAUT32(?,?), ref: 001F150B
VariantClear.OLEAUT32(?), ref: 001F1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001F15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001F1657
VariantInit.OLEAUT32(?), ref: 001F1708
SysFreeString.OLEAUT32(?), ref: 001F178C
VariantClear.OLEAUT32(?), ref: 001F17D8
VariantClear.OLEAUT32(?), ref: 001F17E7
VariantInit.OLEAUT32(00000000), ref: 001F1823

Strings

Default, xrefs: 001F16AF
%4d%02d%02d%02d%02d%02d, xrefs: 001F1625

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 378fab8aa5e7b374022d97be80f9c46c2a1335c8965501724984b8583ac5c5d5
Instruction ID: 9cb525bc52b43a8dad2b85dc8f14fecfa4023daed9f22e43f2848abfa881eab9
Opcode Fuzzy Hash: 378fab8aa5e7b374022d97be80f9c46c2a1335c8965501724984b8583ac5c5d5
Instruction Fuzzy Hash: 88D12531A00119FBDF08AF65E885BBDB7B6BF46700F25805AF606AB190DB30DD45DBA1

Function 0020B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 0020C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0020B6AE,?,?), ref: 0020C9B5
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020C9F1
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA68
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0020B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0020B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0020B80A
RegCloseKey.ADVAPI32(?), ref: 0020B87E
RegCloseKey.ADVAPI32(?), ref: 0020B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0020B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0020B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0020B922
FreeLibrary.KERNEL32(00000000), ref: 0020B983
RegCloseKey.ADVAPI32(00000000), ref: 0020B994

Strings

RegDeleteKeyExW, xrefs: 0020B8FE
advapi32.dll, xrefs: 0020B8ED

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d4c35134d33d42daafd89b73eebea1e50a039801430607d4d032b7d573a4a8ba
Instruction ID: dfdf8eeb91e4c735b6d8626a672ec3fef6ed1df093a590e21f1fc29df42d9f9d
Opcode Fuzzy Hash: d4c35134d33d42daafd89b73eebea1e50a039801430607d4d032b7d573a4a8ba
Instruction Fuzzy Hash: C7C18A35218302AFD725DF14C494F2ABBE5BF94308F14849CE59A8B2A3CB71E955CF91

Function 0020255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002025E8
CreateCompatibleDC.GDI32(?), ref: 002025F4
SelectObject.GDI32(00000000,?), ref: 00202601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0020266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002026D0
SelectObject.GDI32(?,?), ref: 002026D8
DeleteObject.GDI32(?), ref: 002026E1
DeleteDC.GDI32(?), ref: 002026E8
ReleaseDC.USER32(00000000,?), ref: 002026F3

Strings

(, xrefs: 0020268D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 72922b0b7806ce3e44e6a5b4f5def1d7417fe9edf60fedfe0a8db44d58d9d82e
Instruction ID: b5e10b7f2ede09df46fb34f2ac0af6ea5f6767728dcfa43a6569eb74490df0b2
Opcode Fuzzy Hash: 72922b0b7806ce3e44e6a5b4f5def1d7417fe9edf60fedfe0a8db44d58d9d82e
Instruction Fuzzy Hash: 5C610275D00219EFCF04CFA4D888AAEBBFAFF58310F20852AE959A7251D771A951CF50

Function 001BDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001BDAA1

Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD659
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD66B
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD67D
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD68F
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6A1
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6B3
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6C5
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6D7
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6E9
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6FB
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD70D
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD71F
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD731

_free.LIBCMT ref: 001BDA96

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001BDAB8
_free.LIBCMT ref: 001BDACD
_free.LIBCMT ref: 001BDAD8
_free.LIBCMT ref: 001BDAFA
_free.LIBCMT ref: 001BDB0D
_free.LIBCMT ref: 001BDB1B
_free.LIBCMT ref: 001BDB26
_free.LIBCMT ref: 001BDB5E
_free.LIBCMT ref: 001BDB65
_free.LIBCMT ref: 001BDB82
_free.LIBCMT ref: 001BDB9A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2506890613cefe0fd7e86e2b32bfddb77c3ff535229fe89bbfdfd801576766d7
Instruction ID: 61aa21f5c36768ca324d30c463d2f5b4b14fa69f3eec5e8602c4c412e200d1e3
Opcode Fuzzy Hash: 2506890613cefe0fd7e86e2b32bfddb77c3ff535229fe89bbfdfd801576766d7
Instruction Fuzzy Hash: 8C315C31604305AFEB29AA39E945BDAB7E9FF21314F154829F449D7191EF31EC44CB24

Function 001E365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001E369C
_wcslen.LIBCMT ref: 001E36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001E3797
GetClassNameW.USER32(?,?,00000400), ref: 001E380C
GetDlgCtrlID.USER32(?), ref: 001E385D
GetWindowRect.USER32(?,?), ref: 001E3882
GetParent.USER32(?), ref: 001E38A0
ScreenToClient.USER32(00000000), ref: 001E38A7
GetClassNameW.USER32(?,?,00000100), ref: 001E3921
GetWindowTextW.USER32(?,?,00000400), ref: 001E395D

Strings

%s%u, xrefs: 001E3734

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 6688c4a8ad8f8dacd3bcccc3dd3866575003948f436718e2d586da6ad3d2dc06
Instruction ID: e4c273642f67ce6e1655dfa12f2e568dce20ce5d111263bdf660edb1596b2555
Opcode Fuzzy Hash: 6688c4a8ad8f8dacd3bcccc3dd3866575003948f436718e2d586da6ad3d2dc06
Instruction Fuzzy Hash: 3391A271204A46AFD718DF25C889FEEF7A8FF54314F008629F9A983191DB30AA45CB91

Function 001E4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001E4994
GetWindowTextW.USER32(?,?,00000400), ref: 001E49DA
_wcslen.LIBCMT ref: 001E49EB
CharUpperBuffW.USER32(?,00000000), ref: 001E49F7
_wcsstr.LIBVCRUNTIME ref: 001E4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001E4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001E4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001E4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001E4B20
GetWindowRect.USER32(?,?), ref: 001E4B8B

Strings

ThumbnailClass, xrefs: 001E4A6F, 001E4AF1

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 4597c66e7a22a321adfa7b8c4269c956180b050233ff4be0a4adeeddda41db49
Instruction ID: 1cdf42723799dc37f6ee4cf9ef1b29f07e75ecb39ed679fcdcad12d5bc0ada0d
Opcode Fuzzy Hash: 4597c66e7a22a321adfa7b8c4269c956180b050233ff4be0a4adeeddda41db49
Instruction Fuzzy Hash: A591DD310086859FDB04CF16D985BAEB7E9FF94314F04846AFD869B096DB30ED45CBA1

Function 001EBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00251990,000000FF,00000000,00000030), ref: 001EBFAC
SetMenuItemInfoW.USER32(00251990,00000004,00000000,00000030), ref: 001EBFE1
Sleep.KERNEL32(000001F4), ref: 001EBFF3
GetMenuItemCount.USER32(?), ref: 001EC039
GetMenuItemID.USER32(?,00000000), ref: 001EC056
GetMenuItemID.USER32(?,-00000001), ref: 001EC082
GetMenuItemID.USER32(?,?), ref: 001EC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001EC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001EC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001EC145

Strings

0, xrefs: 001EBF3D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: db1ad620e39c73b179131755c82b17dd6676d2dd4d31908cb6f5d38530ec9335
Instruction ID: 9fc457a3b17e6c8c8ddea89d48f105742b4cb30e8199eb92bb0bc0cad424e434
Opcode Fuzzy Hash: db1ad620e39c73b179131755c82b17dd6676d2dd4d31908cb6f5d38530ec9335
Instruction Fuzzy Hash: 26619DB490078AEFDF15CF69DC88AEEBBB9EB15344F144055F811A3291CB31AD16CBA0

Function 0020CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0020CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0020CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0020CD48

Part of subcall function 0020CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0020CCAA
Part of subcall function 0020CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0020CCBD
Part of subcall function 0020CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0020CCCF
Part of subcall function 0020CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0020CD05
Part of subcall function 0020CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0020CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0020CCF3

Strings

RegDeleteKeyExW, xrefs: 0020CCC9
advapi32.dll, xrefs: 0020CCB8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: a082f4c34795c102f1460a14b58897e0a2831aabe1f144b085338d82051c4adb
Instruction ID: e968816da0e5970a7c1892cff2e1ffdcd67bc59525cbbafdb3a897bbf81eeaa7
Opcode Fuzzy Hash: a082f4c34795c102f1460a14b58897e0a2831aabe1f144b085338d82051c4adb
Instruction Fuzzy Hash: C231AFB5951229BBDB208F50DC8CEFFBB7CEF15750F204265B905E2281DB308E45DAA0

Function 001F3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001F3D40
_wcslen.LIBCMT ref: 001F3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 001F3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001F3DBE
RemoveDirectoryW.KERNEL32(?), ref: 001F3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001F3E55
CloseHandle.KERNEL32(00000000), ref: 001F3E60
CloseHandle.KERNEL32(00000000), ref: 001F3E6B

Strings

\, xrefs: 001F3D77
:, xrefs: 001F3D82
\??\%s, xrefs: 001F3D5B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 8e69995a2b4ee4a4693b9b45df2d462dcd45716b8362870a28bf485557fb11ca
Instruction ID: f3f68da90dc55dfdbbc58a3452256bb417632bb2ed869680d2e5c8db5cbe8f0c
Opcode Fuzzy Hash: 8e69995a2b4ee4a4693b9b45df2d462dcd45716b8362870a28bf485557fb11ca
Instruction Fuzzy Hash: D631D2B5940219ABDB209FA0DC48FEF37BDEF99740F6040B5FA19D2060EB7097448B64

Function 001EE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001EE6B4

Part of subcall function 0019E551: timeGetTime.WINMM(?,?,001EE6D4), ref: 0019E555

Sleep.KERNEL32(0000000A), ref: 001EE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001EE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001EE727
SetActiveWindow.USER32 ref: 001EE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001EE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001EE773
Sleep.KERNEL32(000000FA), ref: 001EE77E
IsWindow.USER32 ref: 001EE78A
EndDialog.USER32(00000000), ref: 001EE79B

Strings

BUTTON, xrefs: 001EE719

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: be63f1a29b9479cd2bcd6290a7230f9abc3bc86409e7548a4a1095cb68b4e5eb
Instruction ID: 64e3632bd80e1c813eae80f24ab61fcbed4a6da2b3ae3fb3fddd2cbcb645304f
Opcode Fuzzy Hash: be63f1a29b9479cd2bcd6290a7230f9abc3bc86409e7548a4a1095cb68b4e5eb
Instruction Fuzzy Hash: AB21C3B4640B85FFEB005F61FC8DB693BADF76534AF204424F815C21A1DF71AC448A68

Function 001EE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001EEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001EEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001EEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001EEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001EEAA7

Strings

play PlayMe, xrefs: 001EEAA2
status PlayMe mode, xrefs: 001EEA58
close PlayMe, xrefs: 001EEA6E, 001EEA9B
alias PlayMe, xrefs: 001EEA36
open , xrefs: 001EEA0C
play PlayMe wait, xrefs: 001EEA91

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7cb88aa0c86d1244436621bb2274c0e3d446baa8557345cdc1d3ad56c6a58d32
Instruction ID: 3b5ce5f17a4e1c52966da26f40eacff89c61fd77a03a1d6d596393bf4a08f00d
Opcode Fuzzy Hash: 7cb88aa0c86d1244436621bb2274c0e3d446baa8557345cdc1d3ad56c6a58d32
Instruction Fuzzy Hash: 28117731AA025979D724B762DC4EDFF6ABCEBD3F04F440429B811A20D1EFB00A15CAB1

Function 001E9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001EA012
SetKeyboardState.USER32(?), ref: 001EA07D
GetAsyncKeyState.USER32(000000A0), ref: 001EA09D
GetKeyState.USER32(000000A0), ref: 001EA0B4
GetAsyncKeyState.USER32(000000A1), ref: 001EA0E3
GetKeyState.USER32(000000A1), ref: 001EA0F4
GetAsyncKeyState.USER32(00000011), ref: 001EA120
GetKeyState.USER32(00000011), ref: 001EA12E
GetAsyncKeyState.USER32(00000012), ref: 001EA157
GetKeyState.USER32(00000012), ref: 001EA165
GetAsyncKeyState.USER32(0000005B), ref: 001EA18E
GetKeyState.USER32(0000005B), ref: 001EA19C

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 806da7ba4bb07193a8a2bc3726ea30a51b83021be7dca46faf4ddf38d85bf3f6
Instruction ID: 8a2b62225b9e06c30c935d22e02631e9c7014186199b6b8e142246eba30136d8
Opcode Fuzzy Hash: 806da7ba4bb07193a8a2bc3726ea30a51b83021be7dca46faf4ddf38d85bf3f6
Instruction Fuzzy Hash: 4451D930908BC829FB35DB6288557EEBFF59F12380F488599D5C2571C2DB54BA8CC762

Function 001E5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 001E5CE2
GetWindowRect.USER32(00000000,?), ref: 001E5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001E5D59
GetDlgItem.USER32(?,00000002), ref: 001E5D69
GetWindowRect.USER32(00000000,?), ref: 001E5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 001E5DCF
GetDlgItem.USER32(?,000003E9), ref: 001E5DDD
GetWindowRect.USER32(00000000,?), ref: 001E5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 001E5E31
GetDlgItem.USER32(?,000003EA), ref: 001E5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001E5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 001E5E67

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6ea18bd393e177d6a4feee81ee1819dc47f52ec58169bb8522fb1615d05ac432
Instruction ID: 013230e5bb44f0b56627ee77af4598facd5d53909732eb69be099f92cb9cec59
Opcode Fuzzy Hash: 6ea18bd393e177d6a4feee81ee1819dc47f52ec58169bb8522fb1615d05ac432
Instruction Fuzzy Hash: FF513374B40605AFDF18CFA9DD89AAEBBBAFB58314F248129F515E7290D7709D00CB50

Function 00198BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00198F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00198BE8,?,00000000,?,?,?,?,00198BBA,00000000,?), ref: 00198FC5

DestroyWindow.USER32(?), ref: 00198C81
KillTimer.USER32(00000000,?,?,?,?,00198BBA,00000000,?), ref: 00198D1B
DestroyAcceleratorTable.USER32(00000000), ref: 001D6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00198BBA,00000000,?), ref: 001D69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00198BBA,00000000,?), ref: 001D69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00198BBA,00000000), ref: 001D69D4
DeleteObject.GDI32(00000000), ref: 001D69E6

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7c1f59faf82249e71e880a38820433a60b1ae24d019c8a019c91ede5fdd2a920
Instruction ID: befa8346d67d8ddacb2b9afa626b9989aa3b0c6710ec1a80f0ee06f00dd8cc2b
Opcode Fuzzy Hash: 7c1f59faf82249e71e880a38820433a60b1ae24d019c8a019c91ede5fdd2a920
Instruction Fuzzy Hash: AA619C30502700DFDF299F24E95CBA9B7F1FB52316F148519E0829B6A0CB71ADA0CFA4

Function 00199838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00199944: GetWindowLongW.USER32(?,000000EB), ref: 00199952

GetSysColor.USER32(0000000F), ref: 00199862

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 170f1fbf3fc5a1745fd94361f8c7ad8588a8672630ea025740276bf7b466f3ea
Instruction ID: cf719f9ce35b8765a63e5deddaa4350b01772bf520e053c3e6cc1c675815fd77
Opcode Fuzzy Hash: 170f1fbf3fc5a1745fd94361f8c7ad8588a8672630ea025740276bf7b466f3ea
Instruction Fuzzy Hash: 4341B435544644AFDF205F3CAC88BB93BA5EB16331F24861DF9A6872E1E7319C41DB11

Function 001E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,001CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001E9717
LoadStringW.USER32(00000000,?,001CF7F8,00000001), ref: 001E9720

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,001CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001E9742
LoadStringW.USER32(00000000,?,001CF7F8,00000001), ref: 001E9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001E9866

Strings

Line %d (File "%s"):, xrefs: 001E978F
Error: , xrefs: 001E981D
^ ERROR, xrefs: 001E97FB
%s (%d) : ==> %s: %s %s, xrefs: 001E984A
Line %d:, xrefs: 001E97A0

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 0e3181079e0cb2b1871da7f9f7c63873f37a9aefe555954382c98fd98060050e
Instruction ID: 4b5e79026c305e2971a87ce1ce6839d368f05c7d59c042b52b34346e279df71a
Opcode Fuzzy Hash: 0e3181079e0cb2b1871da7f9f7c63873f37a9aefe555954382c98fd98060050e
Instruction Fuzzy Hash: 9C414B72800209AACF14FBE1DD86EEEB778AF66740F640065F60572092EB356F49CF61

Function 001E06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001E07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001E07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001E07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001E0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001E082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001E0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001E083C

Strings

SOFTWARE\Classes\, xrefs: 001E070E
\IPC$, xrefs: 001E0784
\CLSID, xrefs: 001E0724

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6e1b892bd5c933dd51dbffd0f5115435b64f2bfcbf78358b6e1ff9772a904cdb
Instruction ID: 15a7f9729c3562bc45166927940c941906b6126e117ea1bc89c9cd31ca0310d4
Opcode Fuzzy Hash: 6e1b892bd5c933dd51dbffd0f5115435b64f2bfcbf78358b6e1ff9772a904cdb
Instruction Fuzzy Hash: A5413676C10629ABDF15EBA4EC85CEDB778FF28340B144129E901B3161EB749E44CFA0

Function 00213F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0021403B
CreateCompatibleDC.GDI32(00000000), ref: 00214042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00214055
SelectObject.GDI32(00000000,00000000), ref: 0021405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00214068
DeleteDC.GDI32(00000000), ref: 00214072
GetWindowLongW.USER32(?,000000EC), ref: 0021407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00214092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0021409E

Strings

static, xrefs: 00213FD3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: cf59b42f00fec065ee62d3655fe44bbc346661b9ec370370f65e37ab530ba7bc
Instruction ID: 6fc3b6e9b629e67198406517bf62251763f1df04203ef06e1ca0bddd535507bb
Opcode Fuzzy Hash: cf59b42f00fec065ee62d3655fe44bbc346661b9ec370370f65e37ab530ba7bc
Instruction Fuzzy Hash: 55318E36150215BBDF21AFA4DC08FDA3BA9EF2D320F214211FA18E60A0CB75D861DB94

Function 00203C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00203C5C
CoInitialize.OLE32(00000000), ref: 00203C8A
CoUninitialize.OLE32 ref: 00203C94
_wcslen.LIBCMT ref: 00203D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00203DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00203ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00203F0E
CoGetObject.OLE32(?,00000000,0021FB98,?), ref: 00203F2D
SetErrorMode.KERNEL32(00000000), ref: 00203F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00203FC4
VariantClear.OLEAUT32(?), ref: 00203FD8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 8f4ffe5fd2dae168eb9782dc7c1efb95702563773216cde9e1b09929fb53a143
Instruction ID: c2e5ea61512caf79fbe7875df45b9ff355c746b20e8f112d9ff2abd6105eb12f
Opcode Fuzzy Hash: 8f4ffe5fd2dae168eb9782dc7c1efb95702563773216cde9e1b09929fb53a143
Instruction Fuzzy Hash: 6AC155716183069FD700DF68C88496BBBE9FF89744F10491DF98A9B292DB70EE05CB52

Function 001F7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001F7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001F7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001F7BA3
CoCreateInstance.OLE32(0021FD08,00000000,00000001,00246E6C,?), ref: 001F7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001F7C74
CoTaskMemFree.OLE32(?,?), ref: 001F7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001F7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001F7D7A
CoTaskMemFree.OLE32(00000000), ref: 001F7D81
CoTaskMemFree.OLE32(00000000), ref: 001F7DD6
CoUninitialize.OLE32 ref: 001F7DDC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 88c537ba393006e795c559af70d7ffe2f0a3106ce02c0b0b16d492b4c541e92e
Instruction ID: fa9b4c49e7d4da795eb4550342d8c9e41a07e9811a7a31ea8c4012b1eeb9686d
Opcode Fuzzy Hash: 88c537ba393006e795c559af70d7ffe2f0a3106ce02c0b0b16d492b4c541e92e
Instruction Fuzzy Hash: 05C11A75A04109AFCB14DFA4D888DAEBBF9FF49304B148499E919DB261DB30EE41CF90

Function 0021541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00215504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00215515
CharNextW.USER32(00000158), ref: 00215544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00215585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0021559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002155AC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 8018819159ff5875504f0f6bb384dbe27a735483b6560b028ad9961f609aaa2c
Instruction ID: 1048a7725aeb1b61e19ceaf606c8c9fb53967d7b711f531525426eb73529fb8e
Opcode Fuzzy Hash: 8018819159ff5875504f0f6bb384dbe27a735483b6560b028ad9961f609aaa2c
Instruction Fuzzy Hash: CB619134920629EFDF109F54DC849FE7BF9FBA9320F108185F525A6290D7748AE0DBA1

Function 001DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001DFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 001DFB08
VariantInit.OLEAUT32(?), ref: 001DFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 001DFB3A
VariantCopy.OLEAUT32(?,?), ref: 001DFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 001DFBA1
VariantClear.OLEAUT32(?), ref: 001DFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 001DFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001DFBCC
VariantClear.OLEAUT32(?), ref: 001DFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001DFBE9

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e9d17cd37b48d3d13f52e5605651c983b7a6428cb15693df3e1d5923d1c04d0f
Instruction ID: 22b831bc777db1210af9950fda97761bc1f174f01dae11e11e9c5aa045c270fa
Opcode Fuzzy Hash: e9d17cd37b48d3d13f52e5605651c983b7a6428cb15693df3e1d5923d1c04d0f
Instruction Fuzzy Hash: B1416435A04219DFDF04DF64D8589EDBBB9FF18344F10806AE946A7361CB30AA46CF90

Function 001E9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001E9CA1
GetAsyncKeyState.USER32(000000A0), ref: 001E9D22
GetKeyState.USER32(000000A0), ref: 001E9D3D
GetAsyncKeyState.USER32(000000A1), ref: 001E9D57
GetKeyState.USER32(000000A1), ref: 001E9D6C
GetAsyncKeyState.USER32(00000011), ref: 001E9D84
GetKeyState.USER32(00000011), ref: 001E9D96
GetAsyncKeyState.USER32(00000012), ref: 001E9DAE
GetKeyState.USER32(00000012), ref: 001E9DC0
GetAsyncKeyState.USER32(0000005B), ref: 001E9DD8
GetKeyState.USER32(0000005B), ref: 001E9DEA

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e3a0ad406a7decb722befa574dc7c805878c1e416317552a2c2f49675280d497
Instruction ID: cb8af852220900e805e56902c7d9d3ad03adaaba91364d54b1a9776e580d0587
Opcode Fuzzy Hash: e3a0ad406a7decb722befa574dc7c805878c1e416317552a2c2f49675280d497
Instruction Fuzzy Hash: 9341D634504FD969FF3496A288043FDBEE1BF21344F58805ADAC65B5C2DBA499C8C7A2

Function 0020055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002005BC
inet_addr.WSOCK32(?), ref: 0020061C
gethostbyname.WSOCK32(?), ref: 00200628
IcmpCreateFile.IPHLPAPI ref: 00200636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002007B9
WSACleanup.WSOCK32 ref: 002007BF

Strings

Ping, xrefs: 00200676

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 034b625c49dbe6570fc15e7822e3441aa899a4e926d4ff7f4a2487178e77de3e
Instruction ID: 68d4fc698242924dbdc3457530a4a193c7c7dd348d337d1be33f093b10ff98ad
Opcode Fuzzy Hash: 034b625c49dbe6570fc15e7822e3441aa899a4e926d4ff7f4a2487178e77de3e
Instruction Fuzzy Hash: 8991AD34618302AFE720DF15D8C8F1ABBE4AF49318F1485A9E4698B6A2C774ED51CF91

Function 00208CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00208CF3

Part of subcall function 001E8E54: _wcslen.LIBCMT ref: 001E8E77

_wcslen.LIBCMT ref: 00208D4E
_wcslen.LIBCMT ref: 00208D9C
_wcslen.LIBCMT ref: 00208DDC
_wcslen.LIBCMT ref: 00208E6E

Strings

winapi, xrefs: 00208D96, 00208D9B
cdecl, xrefs: 00208D48, 00208D4D
none, xrefs: 00208E65, 00208E6A
stdcall, xrefs: 00208DD6, 00208DDB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 14c11634b61e82498f64e3f54887202caa62eb106c33c1a38fb8e9d3b64b2433
Instruction ID: 1350949ea418b1392e5a3e72a30cd866393cc5f1696adcb1ff83ed94b7919a8c
Opcode Fuzzy Hash: 14c11634b61e82498f64e3f54887202caa62eb106c33c1a38fb8e9d3b64b2433
Instruction Fuzzy Hash: DC51B331A206179BCF14DF68C9408BFB7A5BF65724B214229F4A5E72C6EB70DE50C790

Function 0020372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00203774
CoUninitialize.OLE32 ref: 0020377F
CoCreateInstance.OLE32(?,00000000,00000017,0021FB78,?), ref: 002037D9
IIDFromString.OLE32(?,?), ref: 0020384C
VariantInit.OLEAUT32(?), ref: 002038E4
VariantClear.OLEAUT32(?), ref: 00203936

Strings

NULL Pointer assignment, xrefs: 0020381E
Failed to create object, xrefs: 002037E4, 0020389A
Invalid parameter, xrefs: 00203865

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d53101c4c94aae4ec3e15403206cc6e863b8d47d04ee82045ba1725e00ab00c9
Instruction ID: 78197ddf65abed70a9ef1d402d3524e80513edb5576ddbb90e1968753c6ebc34
Opcode Fuzzy Hash: d53101c4c94aae4ec3e15403206cc6e863b8d47d04ee82045ba1725e00ab00c9
Instruction Fuzzy Hash: EB61D070628701AFD311DF54D888F6AB7E8EF59700F104849F9859B2E2C7B0EE58CB92

Function 001F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001F33CF

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001F33F0

Strings

Line %d (File "%s"):, xrefs: 001F3443, 001F345C
"%s" (%d) : ==> %s:, xrefs: 001F3522
Error: , xrefs: 001F34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 001F3504
^ ERROR , xrefs: 001F349E
Incorrect parameters to object property !, xrefs: 001F34AB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d9ed0d6612d4163ca62829f5f036f218e68685267d1100075a127f1b480de6cf
Instruction ID: c3fcdc3e27ae808c69bdcf312f72043f36ef285da1760ab48cc87db1ede4400e
Opcode Fuzzy Hash: d9ed0d6612d4163ca62829f5f036f218e68685267d1100075a127f1b480de6cf
Instruction Fuzzy Hash: D1518B71900209BADF19EBA0DD46EFEB378AF25700F244065F515720A2EB352F68DF61

Function 001EB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001EB5FC
_wcslen.LIBCMT ref: 001EB608
_wcslen.LIBCMT ref: 001EB64D
_wcslen.LIBCMT ref: 001EB68C
_wcslen.LIBCMT ref: 001EB6C7

Strings

REMOVE, xrefs: 001EB602, 001EB607
KEYS, xrefs: 001EB647, 001EB64C
APPEND, xrefs: 001EB6C1, 001EB6C6
EXISTS, xrefs: 001EB686, 001EB68B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: fba226d4e199a3c48d07a2944032446a0240552caf79a1adce78c78df30917e8
Instruction ID: 8019011aa8266c430be86afa5468d3273b14b881d4e671f5123f5f4bf51ddc4a
Opcode Fuzzy Hash: fba226d4e199a3c48d07a2944032446a0240552caf79a1adce78c78df30917e8
Instruction Fuzzy Hash: CB41F832A084679BCB206F7EC8D05BFB7A5AFA9B54B254129E421DB284E731CD81C790

Function 001F5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001F53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001F5416
GetLastError.KERNEL32 ref: 001F5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001F54A7

Strings

READY, xrefs: 001F5460, 001F5468
NOTREADY, xrefs: 001F544B
UNKNOWN, xrefs: 001F5444
READONLY, xrefs: 001F5452
INVALID, xrefs: 001F5459

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: bb151c995089ac128b8b90b30c19924de317f38e526157891ccc6b5912a49310
Instruction ID: c5a5f6117b0fc2cf678851a97a5c58040688915d704256750ef1cb6f4a59ac5e
Opcode Fuzzy Hash: bb151c995089ac128b8b90b30c19924de317f38e526157891ccc6b5912a49310
Instruction Fuzzy Hash: 5731C375A00609DFC714DF68C488ABABBB5FF55305F148069E706CB292EB31DD82CBA1

Function 00213C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00213C79
SetMenu.USER32(?,00000000), ref: 00213C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00213D10
IsMenu.USER32(?), ref: 00213D24
CreatePopupMenu.USER32 ref: 00213D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00213D5B
DrawMenuBar.USER32 ref: 00213D63

Strings

0, xrefs: 00213C54
F, xrefs: 00213D4E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ef0945e33315eb2060a3f8f13ff91aebd1e9e097a5425b89a7ed6be907f14bf7
Instruction ID: 83bb7159ab89f38b2080ec90ad84c73cb1a86a69d32b079eb358d2d43593144d
Opcode Fuzzy Hash: ef0945e33315eb2060a3f8f13ff91aebd1e9e097a5425b89a7ed6be907f14bf7
Instruction Fuzzy Hash: 25418C78A1120AAFDB14CF64E848BDA77F6FF59304F144029E906A7360DB70AA20CF94

Function 001E1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 001E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001E3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 001E1F64
GetDlgCtrlID.USER32 ref: 001E1F6F
GetParent.USER32 ref: 001E1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 001E1F8E
GetDlgCtrlID.USER32(?), ref: 001E1F97
GetParent.USER32(?), ref: 001E1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 001E1FAE

Strings

ListBox, xrefs: 001E1F21
ComboBox, xrefs: 001E1EEC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 18d00c3bf89a1f69a6168db842fa6559b043d159e0bfe78482f532a5945cbca5
Instruction ID: a5251fc525669973ece609d0189b9bc1318261691ecb345bdcb8948954caacd1
Opcode Fuzzy Hash: 18d00c3bf89a1f69a6168db842fa6559b043d159e0bfe78482f532a5945cbca5
Instruction Fuzzy Hash: D221C274940254BFCF08AFA1DC89DFEBBB8EF66310B104115F96167291DB355918DFA0

Function 00213A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00213A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00213AA0
GetWindowLongW.USER32(?,000000F0), ref: 00213AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00213AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00213B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00213BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00213BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00213BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00213BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00213C13

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 560edb3d12467b4a541e3b038a7ed3f5856a38776612af879b975ba9a8ab81f2
Instruction ID: 8a4f571888d6f2bd768510d1b332de2157054f4f1472f98cab789013ccf1c241
Opcode Fuzzy Hash: 560edb3d12467b4a541e3b038a7ed3f5856a38776612af879b975ba9a8ab81f2
Instruction Fuzzy Hash: EF618975900248AFDB10DFA8CC85EEE77F9EB19314F10009AFA15A72A1D770AE95DB50

Function 001EB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001EB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB165
GetWindowThreadProcessId.USER32(00000000), ref: 001EB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001EB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB21D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: adbf990ac28ed89bd37485fbeccea16aa84b71f23df3899829989020becd46de
Instruction ID: 846a2c9e410ab4e33cdbb1a83fbff6ca0465f5e364cb7f16604b4452015b03c8
Opcode Fuzzy Hash: adbf990ac28ed89bd37485fbeccea16aa84b71f23df3899829989020becd46de
Instruction Fuzzy Hash: F131AC79544745BFDB10DF25FC8CBBE7BA9AF60352F208014FA01D6190DBB4AA008F68

Function 001B2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001B2C94

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001B2CA0
_free.LIBCMT ref: 001B2CAB
_free.LIBCMT ref: 001B2CB6
_free.LIBCMT ref: 001B2CC1
_free.LIBCMT ref: 001B2CCC
_free.LIBCMT ref: 001B2CD7
_free.LIBCMT ref: 001B2CE2
_free.LIBCMT ref: 001B2CED
_free.LIBCMT ref: 001B2CFB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e86c4a864dfde6dfad2a1f53aec72ae100cafa97669b073034b21b809b2e1e5d
Instruction ID: 21fed75265b7dbf4cc559d29f62ca1f03e3a5af7714f3a2d318c181da8d40b90
Opcode Fuzzy Hash: e86c4a864dfde6dfad2a1f53aec72ae100cafa97669b073034b21b809b2e1e5d
Instruction Fuzzy Hash: 7111A476100118BFCB02EF94D982CDD3BA5FF19354F4148A5FA489F222DB31EE549B90

Function 001F7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001F7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 001F7FC1
GetFileAttributesW.KERNEL32(?), ref: 001F7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 001F8005
SetCurrentDirectoryW.KERNEL32(?), ref: 001F8017
SetCurrentDirectoryW.KERNEL32(?), ref: 001F8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001F80B0

Strings

*.*, xrefs: 001F8066

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0c8a28f3761e224333877d66a571014141ba1301d4a20b29cfb3bcfc2040e713
Instruction ID: 3f870d7ac3521d73930c8d9f89d919573dc768b5ca6bf73e80126bfa629b48a9
Opcode Fuzzy Hash: 0c8a28f3761e224333877d66a571014141ba1301d4a20b29cfb3bcfc2040e713
Instruction Fuzzy Hash: B981CE725082099BCB24EF14C844ABEB3E8BF99314F544C5FFA85C7291EB34DD498B92

Function 00185BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00185C7A

Part of subcall function 00185D0A: GetClientRect.USER32(?,?), ref: 00185D30
Part of subcall function 00185D0A: GetWindowRect.USER32(?,?), ref: 00185D71
Part of subcall function 00185D0A: ScreenToClient.USER32(?,?), ref: 00185D99

GetDC.USER32 ref: 001C46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001C4708
SelectObject.GDI32(00000000,00000000), ref: 001C4716
SelectObject.GDI32(00000000,00000000), ref: 001C472B
ReleaseDC.USER32(?,00000000), ref: 001C4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001C47C4

Strings

U, xrefs: 001C4693

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f6b82cd2c0d95aae58dd929ad2083e23ff2f1988a4f6e69a93bfca2c187ed2d2
Instruction ID: 7dd9931d4c52fd8be4d5a4d6eb12da0f31e67be7c0600dc9ec2b8a56cd2479fa
Opcode Fuzzy Hash: f6b82cd2c0d95aae58dd929ad2083e23ff2f1988a4f6e69a93bfca2c187ed2d2
Instruction Fuzzy Hash: D171DA34404204DFCF259F64C994FEA3BB6FF6A324F244269ED555A2AAC730C991DF60

Function 001F359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001F35E4

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

LoadStringW.USER32(00252390,?,00000FFF,?), ref: 001F360A

Strings

Line %d (File "%s"):, xrefs: 001F366B
"%s" (%d) : ==> %s:, xrefs: 001F3742
Error: , xrefs: 001F36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 001F3724
^ ERROR, xrefs: 001F36C9

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: d65cf03d61c28f7d5235e8e0de9001299b5ef8ae2cdf6edc1181baa7f9b1fbeb
Instruction ID: c9520b348b8593a0e5a40bd0316dd3f19116c5164778a538ef972ea34b28a837
Opcode Fuzzy Hash: d65cf03d61c28f7d5235e8e0de9001299b5ef8ae2cdf6edc1181baa7f9b1fbeb
Instruction Fuzzy Hash: AB517D7180020ABADF14FBA0DC46EFEBB78AF25300F184165F615721A1EB311B99DFA1

Function 001FC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001FC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001FC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001FC2CA
GetLastError.KERNEL32 ref: 001FC322
SetEvent.KERNEL32(?), ref: 001FC336
InternetCloseHandle.WININET(00000000), ref: 001FC341

Strings

, xrefs: 001FC2BB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8fa7bcb50413002c58c0ceae5abc5f2a38447e9c8efe39730b567041d99bf861
Instruction ID: 5f642b9ac18ecf5b4a8bc45a8d2deebbcb94bbefd814d1b0f9241d99c06d6d13
Opcode Fuzzy Hash: 8fa7bcb50413002c58c0ceae5abc5f2a38447e9c8efe39730b567041d99bf861
Instruction Fuzzy Hash: EF31AEB560020CAFD7219F649E88ABBBBFCFB59784F14851EF546D2240DB30DD05ABA1

Function 001E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001C3AAF,?,?,Bad directive syntax error,0021CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001E98BC
LoadStringW.USER32(00000000,?,001C3AAF,?), ref: 001E98C3

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001E9987

Strings

Line %d (File "%s"):, xrefs: 001E992D
., xrefs: 001E996D
%s (%d) : ==> %s.: %s %s, xrefs: 001E98F1
Error: , xrefs: 001E9955
Line %d:, xrefs: 001E9912

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b3d803915e041b8af871d94a2788790acdba58401fda4be2ad408bf786f44f29
Instruction ID: 9335af832397d34f3dfe474677ad333fffde8ce743db6e228c657d7d2af63f6f
Opcode Fuzzy Hash: b3d803915e041b8af871d94a2788790acdba58401fda4be2ad408bf786f44f29
Instruction Fuzzy Hash: FC21AD3284021ABBCF15AF90CC0AEEE7739BF29704F084469F515660A2EB319B28DF11

Function 001E209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001E20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001E20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001E214D

Strings

list, xrefs: 001E212F
smallicons, xrefs: 001E2115
largeicons, xrefs: 001E20E1
details, xrefs: 001E20FB
SHELLDLL_DefView, xrefs: 001E20CC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 44f08dd8cfd26b7c348baef8fe57e38d436752326862e12f9fb4c8f274cd68cd
Instruction ID: f23f88b3b002058e31e47364d47da768e142b56cd7f8576b6c11e77d9ffb19f1
Opcode Fuzzy Hash: 44f08dd8cfd26b7c348baef8fe57e38d436752326862e12f9fb4c8f274cd68cd
Instruction Fuzzy Hash: 95115C7E2C8B56BBF6092321EC1BDEE339CCB16728B200016F705A50E6FFB159115514

Function 001B8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a7472c552cadfa919779b8d792b95b503247e7616fa6f01cbc7897fb2f86a9
Instruction ID: e162a0a3fa98ded364c15e60ea0c2588a42fe943e6ae680b99dee1c16198b55f
Opcode Fuzzy Hash: b6a7472c552cadfa919779b8d792b95b503247e7616fa6f01cbc7897fb2f86a9
Instruction Fuzzy Hash: E3C1D374904349AFDB11EFE8D885BEDBBB8AF19310F144199F919A7392CB309942CB61

Function 001BCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001BCEB7
_free.LIBCMT ref: 001BCF22
_free.LIBCMT ref: 001BCF48
_free.LIBCMT ref: 001BCF71
_free.LIBCMT ref: 001BCFA9
_free.LIBCMT ref: 001BCFDA
_free.LIBCMT ref: 001BD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 001BD09C
_free.LIBCMT ref: 001BD0B5

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 85a9fe05d4b1451f6086dab6f991827fd5c11d1064f44f90ab7d6529780c619b
Instruction ID: 2844749ea7667ed65a9076e278a7cc9eb60b62ed8278fe896437779527d0b06e
Opcode Fuzzy Hash: 85a9fe05d4b1451f6086dab6f991827fd5c11d1064f44f90ab7d6529780c619b
Instruction Fuzzy Hash: C9617571A04310AFDB25AFB4EC85AFA7BA6EF12720F0441ADF80497282EB319D0187D4

Function 002150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00215186
ShowWindow.USER32(?,00000000), ref: 002151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002151D1

Part of subcall function 00216FBA: DeleteObject.GDI32(00000000), ref: 00216FE6

GetWindowLongW.USER32(?,000000F0), ref: 0021520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0021521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0021524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00215287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00215296

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 9c7704ebada0cd550670fa1f17974524851bf42c5e194143a3f39dcc2f5db43b
Instruction ID: 34d69c5a0b84cf92bacf35d9d8cac20e2ee85d7acd9722000dc2b52b5dffe862
Opcode Fuzzy Hash: 9c7704ebada0cd550670fa1f17974524851bf42c5e194143a3f39dcc2f5db43b
Instruction Fuzzy Hash: CE51E735A70629FEEF259F24CC49BD837E5EBA5311F104081F918962E0C7B599E0DF40

Function 00198B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 001D6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001D68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001D68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001D68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001D68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00198874,00000000,00000000,00000000,000000FF,00000000), ref: 001D6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001D691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00198874,00000000,00000000,00000000,000000FF,00000000), ref: 001D692D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 63fb1eb863074ea34426b94719b3f44da22e94ca5a26934f5ca11fd81a199d75
Instruction ID: cbe5ef278110d5d1a582498e0cf15fa7749451b08f79fa56912833847a2301bd
Opcode Fuzzy Hash: 63fb1eb863074ea34426b94719b3f44da22e94ca5a26934f5ca11fd81a199d75
Instruction Fuzzy Hash: 89517774600309EFDF28CF24DC99FAA7BB6EB68754F244519F902972A0DB70E990DB50

Function 001FC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001FC182
GetLastError.KERNEL32 ref: 001FC195
SetEvent.KERNEL32(?), ref: 001FC1A9

Part of subcall function 001FC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001FC272
Part of subcall function 001FC253: GetLastError.KERNEL32 ref: 001FC322
Part of subcall function 001FC253: SetEvent.KERNEL32(?), ref: 001FC336
Part of subcall function 001FC253: InternetCloseHandle.WININET(00000000), ref: 001FC341

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a676cb5294a499668f5a3bb16e8c6414bd814afb64cf5cea70b4441639341291
Instruction ID: aa6a18c4cc0e3f7b47eed1862c3e35a5b52d07275691746dd0d7c670fce818e1
Opcode Fuzzy Hash: a676cb5294a499668f5a3bb16e8c6414bd814afb64cf5cea70b4441639341291
Instruction Fuzzy Hash: 5B31B67514060DEFDB219FA5DE48AB7BBF9FF64300B14841DFA5682611CB31D814EBA0

Function 001E25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001E3A57
Part of subcall function 001E3A3D: GetCurrentThreadId.KERNEL32 ref: 001E3A5E
Part of subcall function 001E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001E25B3), ref: 001E3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001E25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001E25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001E25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001E25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001E2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001E2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001E260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001E2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001E2627

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d013e941c5a9e31bad5be151e49fb53cf6f41af611ab937c8c9b01850f8073d5
Instruction ID: f8aa6275eacc584f6e40f380201099dd3ed09473d6a73713c62ef6ac24ac5d22
Opcode Fuzzy Hash: d013e941c5a9e31bad5be151e49fb53cf6f41af611ab937c8c9b01850f8073d5
Instruction Fuzzy Hash: 7201B5302D0754BBFB1067699C8EF993E9DDBAEB11F204011F318AF0D1CEF114448A69

Function 001E1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001E1449,?,?,00000000), ref: 001E180C
HeapAlloc.KERNEL32(00000000,?,001E1449,?,?,00000000), ref: 001E1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001E1449,?,?,00000000), ref: 001E1828
GetCurrentProcess.KERNEL32(?,00000000,?,001E1449,?,?,00000000), ref: 001E1830
DuplicateHandle.KERNEL32(00000000,?,001E1449,?,?,00000000), ref: 001E1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001E1449,?,?,00000000), ref: 001E1843
GetCurrentProcess.KERNEL32(001E1449,00000000,?,001E1449,?,?,00000000), ref: 001E184B
DuplicateHandle.KERNEL32(00000000,?,001E1449,?,?,00000000), ref: 001E184E
CreateThread.KERNEL32(00000000,00000000,001E1874,00000000,00000000,00000000), ref: 001E1868

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 7378dc7c7273ae20239cd9a96aea494c4af035c158b70e5c510520f4e4776610
Instruction ID: adf45ec4f5ab894cc36ba49139924f328cfd84845de5f219f471833310ad2d0b
Opcode Fuzzy Hash: 7378dc7c7273ae20239cd9a96aea494c4af035c158b70e5c510520f4e4776610
Instruction Fuzzy Hash: D901BFB92C0344BFE710AB65EC4DF9B7B6CEB99B11F108411FA05DB191CA709800CB60

Function 0020A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001ED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001ED501
Part of subcall function 001ED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001ED50F
Part of subcall function 001ED4DC: CloseHandle.KERNELBASE(00000000), ref: 001ED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0020A16D
GetLastError.KERNEL32 ref: 0020A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0020A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0020A268
GetLastError.KERNEL32(00000000), ref: 0020A273
CloseHandle.KERNEL32(00000000), ref: 0020A2C4

Strings

SeDebugPrivilege, xrefs: 0020A18F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3dcdd537ea2b425d8907a432b4257ab7e78b7d9c3ef5657666f85399d1ac8a17
Instruction ID: a919dc0a2290aa882a8e9355b28c0b91b9a19f6f59dcc40475f6f72d3d374cb5
Opcode Fuzzy Hash: 3dcdd537ea2b425d8907a432b4257ab7e78b7d9c3ef5657666f85399d1ac8a17
Instruction Fuzzy Hash: 1B618C34214342AFD710DF18D494F1ABBA1AF54318F54849CE86A8B7E3C772ED45CB92

Function 00213886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00213925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0021393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00213954
_wcslen.LIBCMT ref: 00213999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002139F4

Strings

SysListView32, xrefs: 002138F7

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0f983d70cb200a8275a16177a271d9b38ec9d27f74b835875e154509ccc29c0c
Instruction ID: afe5fbfbf395b2d42d53138e101763690cd77015c46092520b03fbb94936b295
Opcode Fuzzy Hash: 0f983d70cb200a8275a16177a271d9b38ec9d27f74b835875e154509ccc29c0c
Instruction Fuzzy Hash: AF41D631A10219ABEF21DF64CC49BEA77EAEF68350F100526F958E7281D7719DA0CB90

Function 001EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001EBCFD
IsMenu.USER32(00000000), ref: 001EBD1D
CreatePopupMenu.USER32 ref: 001EBD53
GetMenuItemCount.USER32(012D55B8), ref: 001EBDA4
InsertMenuItemW.USER32(012D55B8,?,00000001,00000030), ref: 001EBDCC

Strings

2, xrefs: 001EBD37
0, xrefs: 001EBCA8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 60699fee11ea3c370bbbfb2cdfe260e8349a5af7a9a906ceeb219b7339485248
Instruction ID: 677d2b2d9a20cef2973698123500bf9dd43f4944f4422824b2fca756a2b40cc0
Opcode Fuzzy Hash: 60699fee11ea3c370bbbfb2cdfe260e8349a5af7a9a906ceeb219b7339485248
Instruction Fuzzy Hash: 3151BF70A08A89ABDB14CFEADCC8BAFBBF5BF55318F248119E411A7290D7709941CB51

Function 001EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001EC913

Strings

question, xrefs: 001EC8CC
stop, xrefs: 001EC8E4
info, xrefs: 001EC8B4
blank, xrefs: 001EC895
warning, xrefs: 001EC8FC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 834e82fc625b1978aa438eaa9ee54258d48ffe2ac810c2394195209de29e3027
Instruction ID: 00bb67de1c42e42d36989d4d43284bf5d5e76e81854571c7b6b24c8976b95805
Opcode Fuzzy Hash: 834e82fc625b1978aa438eaa9ee54258d48ffe2ac810c2394195209de29e3027
Instruction Fuzzy Hash: C9113A36689B47BBE7089B15DC83CAE67DCDF27318B21002EF501A61C3E7B45E0252E9

Function 001EDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001EDE42
gethostname.WSOCK32(?,00000100), ref: 001EDE5C
gethostbyname.WSOCK32(?), ref: 001EDE69
inet_ntoa.WSOCK32(?), ref: 001EDEAB
_strcat.LIBCMT ref: 001EDEB9
WSACleanup.WSOCK32 ref: 001EDEDE

Strings

0.0.0.0, xrefs: 001EDE87

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 274340d6191e52db6a543af64b0e51d447cc6e97c461f2416e8a413af981ff93
Instruction ID: fd20d71ca178da39676cdcc682cb5e70e80bac6c5e365e6f246161c2a2c7b583
Opcode Fuzzy Hash: 274340d6191e52db6a543af64b0e51d447cc6e97c461f2416e8a413af981ff93
Instruction Fuzzy Hash: 74112639904114AFDB25AB71FC4EEEF77BCDF66710F1101A9F405EA091EFB18A818A60

Function 00219F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

GetSystemMetrics.USER32(0000000F), ref: 00219FC7
GetSystemMetrics.USER32(0000000F), ref: 00219FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0021A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0021A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0021A263
ShowWindow.USER32(00000003,00000000), ref: 0021A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0021A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0021A2CA

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e8e8d47d165244ce7a858e7fc954e815b78853b289769106da33bec6061dc54f
Instruction ID: 1f6277161a44b48f8d9c1e70168fa255d09870bf39d90a0e3bf6a8e615edfaf7
Opcode Fuzzy Hash: e8e8d47d165244ce7a858e7fc954e815b78853b289769106da33bec6061dc54f
Instruction Fuzzy Hash: 98B1CC31601216EFDF14CF68C9897EE3BF2BF64701F188069EC49AB295D771A9A0CB51

Function 001EED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001EED2A
_wcslen.LIBCMT ref: 001EED3B
_wcslen.LIBCMT ref: 001EED79
_wcslen.LIBCMT ref: 001EEDAF
_wcslen.LIBCMT ref: 001EEDDF
_wcslen.LIBCMT ref: 001EEDEF
_wcslen.LIBCMT ref: 001EEE2B
_wcslen.LIBCMT ref: 001EEE5A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 17a277ea7ce265c67ed253a7c15f8295ac9ce2508a8861f93d07f888a748f52c
Instruction ID: 2178fcc4bb0f5c9bddbe59b66554663f1c6e4d196593f654489550a34d17c54b
Opcode Fuzzy Hash: 17a277ea7ce265c67ed253a7c15f8295ac9ce2508a8861f93d07f888a748f52c
Instruction Fuzzy Hash: FF41A069C10658B6CB11EBF4CC8AACFB7ACAF56310F548462F518E3121FB34E255C3A5

Function 0019F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001D682C,00000004,00000000,00000000), ref: 0019F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,001D682C,00000004,00000000,00000000), ref: 001DF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001D682C,00000004,00000000,00000000), ref: 001DF454

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 976953ed494f99fa9bfd57438e24fd2d6e0a4a5048e4adcfc690c638e2df1960
Instruction ID: 0e5950ac001bfdef4fa4e216185635a458c69d06a32d2093bf95a45aa6449ce8
Opcode Fuzzy Hash: 976953ed494f99fa9bfd57438e24fd2d6e0a4a5048e4adcfc690c638e2df1960
Instruction Fuzzy Hash: 00412A31618680FECF399B2DD88C76A7B96BB56318F15843DF087D6660C772A983CB11

Function 00212D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00212D1B
GetDC.USER32(00000000), ref: 00212D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00212D2E
ReleaseDC.USER32(00000000,00000000), ref: 00212D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00212D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00212D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00215A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00212DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00212DE1

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: bf59379984e8beaf3d0453a6774fcbf6a27f787662e25b5363980aa482322241
Instruction ID: 0bf5776185cebb657e642a2779bd8cb4d85be99cbb6ead10e2be183cba8aea8d
Opcode Fuzzy Hash: bf59379984e8beaf3d0453a6774fcbf6a27f787662e25b5363980aa482322241
Instruction Fuzzy Hash: E631BF76251214BFEB144F10EC89FEB3BADEF59711F148055FE089A291CA758C60CBA0

Function 001E5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001E5637
_memcmp.LIBVCRUNTIME ref: 001E5659
_memcmp.LIBVCRUNTIME ref: 001E5671
_memcmp.LIBVCRUNTIME ref: 001E5684
_memcmp.LIBVCRUNTIME ref: 001E569E
_memcmp.LIBVCRUNTIME ref: 001E56B1
_memcmp.LIBVCRUNTIME ref: 001E56C9
_memcmp.LIBVCRUNTIME ref: 001E56E4

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1232b9acc94d3e98883531ae7e34782102553b8b05335a91a47f99401e4b8b56
Instruction ID: aad682d01e70a9c4c072f73bfb1202a44e32545844190b88e6e824f3b0b22e87
Opcode Fuzzy Hash: 1232b9acc94d3e98883531ae7e34782102553b8b05335a91a47f99401e4b8b56
Instruction Fuzzy Hash: D1219565A50E497B97189A228E92FFF339FBE3A39CF540021FD049A581F760ED6081E5

Function 00204FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00205007
NULL Pointer assignment, xrefs: 0020502E, 00205383

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 1782868e9120c314d0a5783a4e61999b71dd8e70989476b512788857326d4fdc
Instruction ID: 2258cf76653e22f3d9879ab07bc9f9cb51d1784cfdb0f0a23fa16b55bf7988ef
Opcode Fuzzy Hash: 1782868e9120c314d0a5783a4e61999b71dd8e70989476b512788857326d4fdc
Instruction Fuzzy Hash: 2BD1B175A1071AAFDF10CFA8C881BAEB7B5BF48344F148069E915AB282E770DD55CF90

Function 001C1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 001C15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001C1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001C16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001C16FB

Part of subcall function 001B3820: RtlAllocateHeap.NTDLL(00000000,?,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6,?,00181129), ref: 001B3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001C1777
__freea.LIBCMT ref: 001C17A2
__freea.LIBCMT ref: 001C17AE

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 50fc3e37401767ccbe7f6defab4a7ebfcfedfec34f12fe91bd717af64f9727b1
Instruction ID: a1d0044614d0da300c02748d40219f8493bb6e2ce8a2a57d6d12afbe8a5274ff
Opcode Fuzzy Hash: 50fc3e37401767ccbe7f6defab4a7ebfcfedfec34f12fe91bd717af64f9727b1
Instruction Fuzzy Hash: C291A472E80216BADF248E64C891FEE7BB5AF6B310F18465DE905E7142DB35DC40CB60

Function 00204523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00204648
VariantInit.OLEAUT32(?), ref: 00204749
VariantClear.OLEAUT32(?), ref: 00204753
VariantClear.OLEAUT32(?), ref: 002047B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0020472C
Null Object assignment in FOR..IN loop, xrefs: 002045D8, 00204706, 002047BE

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: cc4043754c86b8cd01c1966ed282f5039f4fac7efbf5e827896b4f70fff822c1
Instruction ID: 9b236b97faf785d04085a545e87faf14c37304ef328421cba9b11abea00d7b27
Opcode Fuzzy Hash: cc4043754c86b8cd01c1966ed282f5039f4fac7efbf5e827896b4f70fff822c1
Instruction Fuzzy Hash: FA91D1B0A10315ABDF24DFA4C844FAEBBB8EF46710F108559F615AB292D7709951CFA0

Function 001F1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001F125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001F1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001F12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001F12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001F135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001F13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001F1430

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b08a754a4879098ca0aa846ebd071c242707aa90c87fee4dcf77d9b2d8bfb90f
Instruction ID: cde4c7a8cb2f6fff935804a9028b032ecc83cc0c3129f27fe5892095452be370
Opcode Fuzzy Hash: b08a754a4879098ca0aa846ebd071c242707aa90c87fee4dcf77d9b2d8bfb90f
Instruction Fuzzy Hash: 6891CF76A00209EFDB05DFA8D884BFEB7B5FF55325F214029EA10EB291D774A941CB90

Function 0019948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: cbb01922c5906a73b08ff5ccde44a7a810d5702ea1371517aad8bca0de24c825
Instruction ID: 615b536176d8de7369d200d3a06ba57aebc4e84274cc710fef846aa4c99a75df
Opcode Fuzzy Hash: cbb01922c5906a73b08ff5ccde44a7a810d5702ea1371517aad8bca0de24c825
Instruction Fuzzy Hash: D1914671D40219EFDF14CFA9C888AEEBBB8FF49320F25814AE515B7291D734A941CB60

Function 00203947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0020396B
CharUpperBuffW.USER32(?,?), ref: 00203A7A
_wcslen.LIBCMT ref: 00203A8A
VariantClear.OLEAUT32(?), ref: 00203C1F

Part of subcall function 001F0CDF: VariantInit.OLEAUT32(00000000), ref: 001F0D1F
Part of subcall function 001F0CDF: VariantCopy.OLEAUT32(?,?), ref: 001F0D28
Part of subcall function 001F0CDF: VariantClear.OLEAUT32(?), ref: 001F0D34

Strings

Incorrect Parameter format, xrefs: 002039A6, 00203BA1
AUTOIT.ERROR, xrefs: 00203A80, 00203A85

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: e6c6df2f4b4f5cf4931e5dcb9a8ca8afdaebddf18b6f21b4a448406e9416c1b1
Instruction ID: 841bec2750669e8c5ef540bbe4f3c3a13aa297d70c124bf74ffff06df5db6edc
Opcode Fuzzy Hash: e6c6df2f4b4f5cf4931e5dcb9a8ca8afdaebddf18b6f21b4a448406e9416c1b1
Instruction Fuzzy Hash: 1E9149746183059FC704EF24C48096AB7E8FF99318F14882DF8999B392DB31EE55CB92

Function 00204BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001E000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?,?,001E035E), ref: 001E002B
Part of subcall function 001E000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?), ref: 001E0046
Part of subcall function 001E000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?), ref: 001E0054
Part of subcall function 001E000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?), ref: 001E0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00204C51
_wcslen.LIBCMT ref: 00204D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00204DCF
CoTaskMemFree.OLE32(?), ref: 00204DDA

Strings

NULL Pointer assignment, xrefs: 00204E23, 00204E52

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 4233a58510704a0e0a9a04e7566e77931606d2537f05825c4ece31704f50fbc8
Instruction ID: d29759ab542c98e0893d32251a5b13e6b0785132ee334a54a35389884ebe4072
Opcode Fuzzy Hash: 4233a58510704a0e0a9a04e7566e77931606d2537f05825c4ece31704f50fbc8
Instruction Fuzzy Hash: 0B913AB1D0021D9FDF15EFA4D890AEEB7B8BF18304F10816AE915B7291EB709A54CF60

Function 002120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00212183
GetMenuItemCount.USER32(00000000), ref: 002121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002121DD
_wcslen.LIBCMT ref: 00212213
GetMenuItemID.USER32(?,?), ref: 0021224D
GetSubMenu.USER32(?,?), ref: 0021225B

Part of subcall function 001E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001E3A57
Part of subcall function 001E3A3D: GetCurrentThreadId.KERNEL32 ref: 001E3A5E
Part of subcall function 001E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001E25B3), ref: 001E3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002122E3

Part of subcall function 001EE97B: Sleep.KERNEL32 ref: 001EE9F3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: e69b6ab2e27cc8431cf4e9bb7b12e01edb3a3c44ada3eeafb19e324ef3b28cee
Instruction ID: d037a3d87d8be9b8c2fac10ea36d662873f65668a27c706987255644515a7aee
Opcode Fuzzy Hash: e69b6ab2e27cc8431cf4e9bb7b12e01edb3a3c44ada3eeafb19e324ef3b28cee
Instruction Fuzzy Hash: 2B718E35A10205EFCB10EF68C845AEEB7F5EF68310F148458F816EB341DB74AA918B90

Function 00217E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012D5590), ref: 00217F37
IsWindowEnabled.USER32(012D5590), ref: 00217F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0021801E
SendMessageW.USER32(012D5590,000000B0,?,?), ref: 00218051
IsDlgButtonChecked.USER32(?,?), ref: 00218089
GetWindowLongW.USER32(012D5590,000000EC), ref: 002180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002180C3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 23b7e3a4b18da57226a03992e8dd37fcf25a1472d6fb3a4784aa959b7780d513
Instruction ID: 6ba7e5718adde22faceffa1fd4e831889a4c1c0470b365496e2932ba4746a5da
Opcode Fuzzy Hash: 23b7e3a4b18da57226a03992e8dd37fcf25a1472d6fb3a4784aa959b7780d513
Instruction Fuzzy Hash: 1D71C235618205AFEB249F64C8C4FEB7BF9EFA9300F144059F94553261CB31ADA6CB10

Function 001EAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001EAEF9
GetKeyboardState.USER32(?), ref: 001EAF0E
SetKeyboardState.USER32(?), ref: 001EAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001EAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001EAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001EAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001EB020

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9b8a00d2bd41cc948cbb8c1a7ebd0f28414269b005a5978c74190de61081ae78
Instruction ID: e89780d63e6afcb16519642afddb481e1c93b628b0ddcbdebba827c47288e885
Opcode Fuzzy Hash: 9b8a00d2bd41cc948cbb8c1a7ebd0f28414269b005a5978c74190de61081ae78
Instruction Fuzzy Hash: 9A51B1A0608BD53DFB3683368885BBFBEA95F06704F088589F2D9558D2C798BCC8D751

Function 001EACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001EAD19
GetKeyboardState.USER32(?), ref: 001EAD2E
SetKeyboardState.USER32(?), ref: 001EAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001EADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001EADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001EAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001EAE38

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1e3da9a84fcf0314b689cd64d17989acc9a6b96c6141fdca51bf36e2ed1b61ca
Instruction ID: 75c71725a8743eda32b993b1380f08dd5bfda46b93958586d592b16c4305a94a
Opcode Fuzzy Hash: 1e3da9a84fcf0314b689cd64d17989acc9a6b96c6141fdca51bf36e2ed1b61ca
Instruction Fuzzy Hash: 6B5116A0548BD53DFB3783768C95BBEBEA96F46300F488488E1D5468C2C394FC88D762

Function 001B542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(001C3CD6,?,?,?,?,?,?,?,?,001B5BA3,?,?,001C3CD6,?,?), ref: 001B5470
__fassign.LIBCMT ref: 001B54EB
__fassign.LIBCMT ref: 001B5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,001C3CD6,00000005,00000000,00000000), ref: 001B552C
WriteFile.KERNEL32(?,001C3CD6,00000000,001B5BA3,00000000,?,?,?,?,?,?,?,?,?,001B5BA3,?), ref: 001B554B
WriteFile.KERNEL32(?,?,00000001,001B5BA3,00000000,?,?,?,?,?,?,?,?,?,001B5BA3,?), ref: 001B5584

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 8f16cf400e049523cfa7137b6d341cfbff6bbe87a815c11a4ca2fc066ace3e89
Instruction ID: 652a2c4d86798449743e04dbf94a79c32bb42956ffabcec25b9204df2fe9eabc
Opcode Fuzzy Hash: 8f16cf400e049523cfa7137b6d341cfbff6bbe87a815c11a4ca2fc066ace3e89
Instruction Fuzzy Hash: 4751E570900648AFDB21CFA8DC85BEEBBFAEF09301F14411AF555E7291D7309A51CB60

Function 001A2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001A2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 001A2D53
_ValidateLocalCookies.LIBCMT ref: 001A2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 001A2E0C
_ValidateLocalCookies.LIBCMT ref: 001A2E61

Strings

csm, xrefs: 001A2DF6

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 90f614e840640fe9ea72a32003b78d5f9377bdb5872381b0d8e28feec9bb057a
Instruction ID: b51b636a5903340e6a19da6ef17a1f9b0c134e37089a785071205b5eeaf733d7
Opcode Fuzzy Hash: 90f614e840640fe9ea72a32003b78d5f9377bdb5872381b0d8e28feec9bb057a
Instruction Fuzzy Hash: C841B238A00209ABCF14DFACC885A9EBBB5BF46324F148155F8146B393D735EA15CB90

Function 002010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0020304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0020307A
Part of subcall function 0020304E: _wcslen.LIBCMT ref: 0020309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00201112
WSAGetLastError.WSOCK32 ref: 00201121
WSAGetLastError.WSOCK32 ref: 002011C9
closesocket.WSOCK32(00000000), ref: 002011F9

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 3923b8afa645ad1805ae80523cbcf1d7645435b0a4ce56a3093cc643a6c05bc3
Instruction ID: dbaf270c243bc90dbdb75b07b8e8a5128308f6f476e29ee3d1fafd6fba23c599
Opcode Fuzzy Hash: 3923b8afa645ad1805ae80523cbcf1d7645435b0a4ce56a3093cc643a6c05bc3
Instruction Fuzzy Hash: F141E435610205AFDB149F14D884BAAF7E9EF45324F248059F9199B2D2CB70EE51CBE0

Function 001ECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001ECF22,?), ref: 001EDDFD

Part of subcall function 001EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001ECF22,?), ref: 001EDE16

lstrcmpiW.KERNEL32(?,?), ref: 001ECF45
MoveFileW.KERNEL32(?,?), ref: 001ECF7F
_wcslen.LIBCMT ref: 001ED005
_wcslen.LIBCMT ref: 001ED01B
SHFileOperationW.SHELL32(?), ref: 001ED061

Strings

\*.*, xrefs: 001ECFF3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 498094c31e6219ab9c64cb98bbaf91c742b8b83aaecc8f74f45d32de731311d3
Instruction ID: 9d1116488bc65c24f7e7aa2f8ccc5cb8b00d073355186deae2cd2f972b20fb94
Opcode Fuzzy Hash: 498094c31e6219ab9c64cb98bbaf91c742b8b83aaecc8f74f45d32de731311d3
Instruction Fuzzy Hash: A241947584525C9FDF12EBA4DD81ADEB7B8AF18380F1000E6E505EB142EB34AB89CB50

Function 00212DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00212E1C
GetWindowLongW.USER32(?,000000F0), ref: 00212E4F
GetWindowLongW.USER32(?,000000F0), ref: 00212E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00212EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00212EE0
GetWindowLongW.USER32(?,000000F0), ref: 00212EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00212F0B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 1c546561cc86b49a0be8d1f4d380afd98630e39542013e3362b66d782b9077d8
Instruction ID: c449b868a78b4a0a09fd7a1963a3a5623ec25e3d358a6702dee945a739ebcf74
Opcode Fuzzy Hash: 1c546561cc86b49a0be8d1f4d380afd98630e39542013e3362b66d782b9077d8
Instruction Fuzzy Hash: 2C311234654251EFDB218F18EC88FA537E5EBAA711F244164F9109B2B2CB71FCA49B40

Function 001E7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001E7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001E778F
SysAllocString.OLEAUT32(00000000), ref: 001E7792
SysAllocString.OLEAUT32(?), ref: 001E77B0
SysFreeString.OLEAUT32(?), ref: 001E77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001E77DE
SysAllocString.OLEAUT32(?), ref: 001E77EC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7af1ac138003af8554cc2567fb5a6e3d7f5b84daf8f6da5cffe68b1413d53132
Instruction ID: 756f8287e841b5f294cacad9bfd3d7606ca10f55aab3c615d8ef0eddd23c0060
Opcode Fuzzy Hash: 7af1ac138003af8554cc2567fb5a6e3d7f5b84daf8f6da5cffe68b1413d53132
Instruction Fuzzy Hash: 1121947AA08219AFEB10AFA9DC8CCFF73ACEB093647148025B904DB190D7709C818760

Function 001E77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001E7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001E7868
SysAllocString.OLEAUT32(00000000), ref: 001E786B
SysAllocString.OLEAUT32 ref: 001E788C
SysFreeString.OLEAUT32 ref: 001E7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001E78AF
SysAllocString.OLEAUT32(?), ref: 001E78BD

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 11fd2ba3a2ceef3daf9f1c7283de39da9afeeb1bb59362d0b84ac0eed4c8834d
Instruction ID: a55cf13529896fa6e1320defbea2abb578bc5449732acb9c2ee86055cf2e8084
Opcode Fuzzy Hash: 11fd2ba3a2ceef3daf9f1c7283de39da9afeeb1bb59362d0b84ac0eed4c8834d
Instruction Fuzzy Hash: A321BD35608214BFEB14AFA9DC8CDAE77ECEB283607208025F915CB2A0DB70DC41CB64

Function 001F04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001F04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001F052E

Strings

nul, xrefs: 001F0567

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: caff43b2bd8b50747f83dfa6e98e64248ef0cdcae0bab732e26e80a2001a0e91
Instruction ID: 6775858b2854d2dad1cfb4772ee16fdf7b3a6090250b38d32001a223942a90fd
Opcode Fuzzy Hash: caff43b2bd8b50747f83dfa6e98e64248ef0cdcae0bab732e26e80a2001a0e91
Instruction Fuzzy Hash: 5B218D75600309AFDF219F29DC08AAA77A4BF59724F204A19FEA1D72E1D7B0D940CF60

Function 001F05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001F05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001F0601

Strings

nul, xrefs: 001F0639

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f65b4bc0e5feb21d8089e89d31ce811e8c987587667170027e2a72e993f47792
Instruction ID: 28f439b339ccf1355a06ef0189ef7282b57564c1cb0797da865424b76d33cd66
Opcode Fuzzy Hash: f65b4bc0e5feb21d8089e89d31ce811e8c987587667170027e2a72e993f47792
Instruction Fuzzy Hash: 1E21B7755003199FDB219F68DC04AAA77E4BF99730F204A19FEA1D72E1DBB09860CB50

Function 002140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0018600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0018604C
Part of subcall function 0018600E: GetStockObject.GDI32(00000011), ref: 00186060
Part of subcall function 0018600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0018606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00214112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0021411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0021412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00214139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00214145

Strings

Msctls_Progress32, xrefs: 002140E3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 551d96f6b0ab5f6d416c5ed69fb717584545e1f02bfbe24ae4d8d9744d0dde68
Instruction ID: ed1a344892a8d6a60a45510712fa72e1aab4049c0fa63db8ace8f6d3a007bf16
Opcode Fuzzy Hash: 551d96f6b0ab5f6d416c5ed69fb717584545e1f02bfbe24ae4d8d9744d0dde68
Instruction Fuzzy Hash: 6511B2B215021ABEEF119F64CC85EE77F9DEF19798F104110BA18A6050CB729C61DBA4

Function 001BD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001BD7A3: _free.LIBCMT ref: 001BD7CC

_free.LIBCMT ref: 001BD82D

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001BD838
_free.LIBCMT ref: 001BD843
_free.LIBCMT ref: 001BD897
_free.LIBCMT ref: 001BD8A2
_free.LIBCMT ref: 001BD8AD
_free.LIBCMT ref: 001BD8B8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: cfbe860d1a3e488eb8047d251e91452b56a922e058cd627b1e906bebb77116e1
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 30112671940B14BADA25BFF0DC46FCB7B9CAF20704F400C25F29DA6092EB75A5098662

Function 001EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001EDA74
LoadStringW.USER32(00000000), ref: 001EDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001EDA91
LoadStringW.USER32(00000000), ref: 001EDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001EDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001EDAB9

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 2458f14d484986c1e0b58b7a61738241c55655e282f2823f8ab7459664c60113
Instruction ID: 76866adafe76a3395b96135e8b21f95cf93a77b40ad8bfe718f14e032931b6ce
Opcode Fuzzy Hash: 2458f14d484986c1e0b58b7a61738241c55655e282f2823f8ab7459664c60113
Instruction Fuzzy Hash: 180186FA9402487FE7109BA4AD8DEEB736CE718301F5044A2B706E2041EA749E844F75

Function 001F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(012CD218,012CD218), ref: 001F097B
EnterCriticalSection.KERNEL32(012CD1F8,00000000), ref: 001F098D
TerminateThread.KERNEL32(?,000001F6), ref: 001F099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001F09A9
CloseHandle.KERNEL32(?), ref: 001F09B8
InterlockedExchange.KERNEL32(012CD218,000001F6), ref: 001F09C8
LeaveCriticalSection.KERNEL32(012CD1F8), ref: 001F09CF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 11e53eb329eadcf0c7bdbe8b835ff8b2fc143bce37fc22e18036d607d7027ba6
Instruction ID: 7a9f0c368d0feb405be22d4e3de98d631f703b5026d139988c9f6837496b38b2
Opcode Fuzzy Hash: 11e53eb329eadcf0c7bdbe8b835ff8b2fc143bce37fc22e18036d607d7027ba6
Instruction Fuzzy Hash: C1F03135482A12BBD7525F94FE8CBE67B35FF15702F505025F601508A1DB749465CF90

Function 00185D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00185D30
GetWindowRect.USER32(?,?), ref: 00185D71
ScreenToClient.USER32(?,?), ref: 00185D99
GetClientRect.USER32(?,?), ref: 00185ED7
GetWindowRect.USER32(?,?), ref: 00185EF8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 08cbd984b9e82cc34dfe3c6261be2dffccb1674e3bb8f2ccdead2bc5b9fbff14
Instruction ID: 236e2a0cb87a867a5cf64196fa037c46299f837f202b21ca1bc427800e5a3715
Opcode Fuzzy Hash: 08cbd984b9e82cc34dfe3c6261be2dffccb1674e3bb8f2ccdead2bc5b9fbff14
Instruction Fuzzy Hash: 0DB16A38A0064ADBDB14DFA9C840BEAB7F2FF58310F14851AE8A9D7250DB34EA51DF54

Function 001B01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001B00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001B00D6
__allrem.LIBCMT ref: 001B00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001B010B
__allrem.LIBCMT ref: 001B0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001B0140

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 58a622e48056fdddd2172ff3c367851842538288250d9ce1b4bf6cb8d157f5ba
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: D7811976A00706AFE725AF6CCC82BAB73E8AF66364F24423EF411D7681E770D9018750

Function 00201D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00203149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0020101C,00000000,?,?,00000000), ref: 00203195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00201DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00201DE1
WSAGetLastError.WSOCK32 ref: 00201DF2
inet_ntoa.WSOCK32(?), ref: 00201E8C
htons.WSOCK32(?,?,?,?,?), ref: 00201EDB
_strlen.LIBCMT ref: 00201F35

Part of subcall function 001E39E8: _strlen.LIBCMT ref: 001E39F2

Part of subcall function 00186D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0019CF58,?,?,?), ref: 00186DBA
Part of subcall function 00186D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0019CF58,?,?,?), ref: 00186DED

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 290ae1118f0ad88d9f1e76c71794d2846bc48ec4e42a2439568783730515e447
Instruction ID: dbe7a8384f91b242e5e3ae2aebb6f242b33f50fbe74bdf276b2da978a881672a
Opcode Fuzzy Hash: 290ae1118f0ad88d9f1e76c71794d2846bc48ec4e42a2439568783730515e447
Instruction Fuzzy Hash: 2BA1CF31104342AFC724EF24C889E2A7BE5AF95318F54894CF4565B2E3CB71EE56CB91

Function 001B61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001A82D9,001A82D9,?,?,?,001B644F,00000001,00000001,8BE85006), ref: 001B6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001B644F,00000001,00000001,8BE85006,?,?,?), ref: 001B62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001B63D8
__freea.LIBCMT ref: 001B63E5

Part of subcall function 001B3820: RtlAllocateHeap.NTDLL(00000000,?,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6,?,00181129), ref: 001B3852

__freea.LIBCMT ref: 001B63EE
__freea.LIBCMT ref: 001B6413

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: b65dfef162773b3f92fefeea10701f89858dd86208f1666086a1a3e7f42e0393
Instruction ID: 2db1c2ac860cc6eccba3fb0c5d0da5dcc9fc4ed298c77fbeab39539a59584557
Opcode Fuzzy Hash: b65dfef162773b3f92fefeea10701f89858dd86208f1666086a1a3e7f42e0393
Instruction Fuzzy Hash: B351E072A00216ABEB258F64DC81EEF7BA9FB64710F254669FC09D6150EB38DC50C6A0

Function 0020BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 0020C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0020B6AE,?,?), ref: 0020C9B5
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020C9F1
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA68
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0020BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0020BD25
RegCloseKey.ADVAPI32(00000000), ref: 0020BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0020BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0020BDF3
RegCloseKey.ADVAPI32(?), ref: 0020BDFF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: fdd0e76550a7dcb94278d383192064797f5fdcac4b47eae69c4acbbf630739f5
Instruction ID: ba778729dfb92f19cd5967fad938f55282d9ce2231d79db2f1bd0d73622d897c
Opcode Fuzzy Hash: fdd0e76550a7dcb94278d383192064797f5fdcac4b47eae69c4acbbf630739f5
Instruction Fuzzy Hash: 4A81AF30228342AFD725DF24C885E6ABBE5FF84308F14855DF4598B2A2DB31ED55CB92

Function 001DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 001DF7B9
SysAllocString.OLEAUT32(00000001), ref: 001DF860
VariantCopy.OLEAUT32(001DFA64,00000000), ref: 001DF889
VariantClear.OLEAUT32(001DFA64), ref: 001DF8AD
VariantCopy.OLEAUT32(001DFA64,00000000), ref: 001DF8B1
VariantClear.OLEAUT32(?), ref: 001DF8BB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 4f40cd8a1ecdff9e20efd7920967509d686ad998a85177d5788928b7aa46f97b
Instruction ID: 34ec0e81579535ef312fca68e0a4ebeb92afbf78b319c1f96c302640d8f4d783
Opcode Fuzzy Hash: 4f40cd8a1ecdff9e20efd7920967509d686ad998a85177d5788928b7aa46f97b
Instruction Fuzzy Hash: DC51D535940310BACF18AB65D8A5B29B3A8EF55314B24846FFD07DF391DB708E42CB96

Function 001F910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00187620: _wcslen.LIBCMT ref: 00187625

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001F94E5
_wcslen.LIBCMT ref: 001F9506
_wcslen.LIBCMT ref: 001F952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001F9585

Strings

X, xrefs: 001F9412

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 9e7de773f10623646b8619447c11af622721c960d8d2b809b9d6f6698eb7ffa0
Instruction ID: b48f06559b4088cd1745bd3edb8f0334ec4793a685f4f5d94ebe1c0a18994d97
Opcode Fuzzy Hash: 9e7de773f10623646b8619447c11af622721c960d8d2b809b9d6f6698eb7ffa0
Instruction Fuzzy Hash: 68E1B1315083409FC724EF24C881B6AB7E0BF95314F14896DF9999B2A2DB31EE05CF92

Function 0019920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

BeginPaint.USER32(?,?,?), ref: 00199241
GetWindowRect.USER32(?,?), ref: 001992A5
ScreenToClient.USER32(?,?), ref: 001992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001992D3
EndPaint.USER32(?,?,?,?,?), ref: 00199321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001D71EA

Part of subcall function 00199339: BeginPath.GDI32(00000000), ref: 00199357

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 76d4e0c16b7404b9a658ef94df82947d7e0efff9c90c8ebcc62be8e419a4aff8
Instruction ID: 883a7351b43ee327f39b3f3fb35cbf818c084e99867c75948e97be464b0e33da
Opcode Fuzzy Hash: 76d4e0c16b7404b9a658ef94df82947d7e0efff9c90c8ebcc62be8e419a4aff8
Instruction Fuzzy Hash: 2D41AC70104300AFDB21DF28DC88FAA7BB8EF56321F14062DF9A5872E1D7309855DB62

Function 001F07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001F080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001F0847
EnterCriticalSection.KERNEL32(?), ref: 001F0863
LeaveCriticalSection.KERNEL32(?), ref: 001F08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001F08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001F0921

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 903fb57f11bfcdca1f0b9e9f5739ff3a2b0584eff5e6a20c1c1ab8f22f306b20
Instruction ID: 182811a1d8ed00296336328dc1d7a522adcb539ba9ae4b00cdd901294075d60b
Opcode Fuzzy Hash: 903fb57f11bfcdca1f0b9e9f5739ff3a2b0584eff5e6a20c1c1ab8f22f306b20
Instruction Fuzzy Hash: BB418A75A00209EBDF15EF54DC85AAA77B8FF18300F1480A9ED04DA297DB70DE61DBA0

Function 002181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001DF3AB,00000000,?,?,00000000,?,001D682C,00000004,00000000,00000000), ref: 0021824C
EnableWindow.USER32(?,00000000), ref: 00218272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002182D1
ShowWindow.USER32(?,00000004), ref: 002182E5
EnableWindow.USER32(?,00000001), ref: 0021830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0021832F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d06e30f76e9cc511703e5bcfe1b850fa975efd22956538f054f89f27d9c48d4b
Instruction ID: dfdff1449df60791ea0236087cdd1fa83f433aaaffad8d720eb868df90422f89
Opcode Fuzzy Hash: d06e30f76e9cc511703e5bcfe1b850fa975efd22956538f054f89f27d9c48d4b
Instruction Fuzzy Hash: 0E41E834611681AFDB16CF14D8D9BE47BE0FB26715F1841A8E9184F2B2CB71ACA1CF40

Function 001E4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001E4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001E4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001E4CEA
_wcslen.LIBCMT ref: 001E4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001E4D10
_wcsstr.LIBVCRUNTIME ref: 001E4D1A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8ff5c8c6913ba1b4f2604acd61f6752d3954906de931c2445d57f360fd9babd3
Instruction ID: 764be8ec0936618a259d6971508121cf7f213c989cab22847c3db7981d375653
Opcode Fuzzy Hash: 8ff5c8c6913ba1b4f2604acd61f6752d3954906de931c2445d57f360fd9babd3
Instruction Fuzzy Hash: 8A21F9352046807BEB195B7AAC49EBF7B9CEFA5750F21803DF805CB191DF61DC4196A0

Function 001F581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00183AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00183A97,?,?,00182E7F,?,?,?,00000000), ref: 00183AC2

_wcslen.LIBCMT ref: 001F587B
CoInitialize.OLE32(00000000), ref: 001F5995
CoCreateInstance.OLE32(0021FCF8,00000000,00000001,0021FB68,?), ref: 001F59AE
CoUninitialize.OLE32 ref: 001F59CC

Strings

.lnk, xrefs: 001F5876, 001F58C1, 001F5985

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: cd8260e16995d41d4145de71beed8c8a75b1e9d267f5068c712c5560ebc86593
Instruction ID: b29c02bd8272892b7874e5e79760a93e5f8db29f901ee176668a954ec73e91ae
Opcode Fuzzy Hash: cd8260e16995d41d4145de71beed8c8a75b1e9d267f5068c712c5560ebc86593
Instruction Fuzzy Hash: 13D164746087059FC708EF24C48492ABBE2FF99714F14885DFA8A9B361DB31ED45CB92

Function 001E175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001E0FCA
Part of subcall function 001E0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001E0FD6
Part of subcall function 001E0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001E0FE5
Part of subcall function 001E0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001E0FEC
Part of subcall function 001E0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001E1002

GetLengthSid.ADVAPI32(?,00000000,001E1335), ref: 001E17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001E17BA
HeapAlloc.KERNEL32(00000000), ref: 001E17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001E17DA
GetProcessHeap.KERNEL32(00000000,00000000,001E1335), ref: 001E17EE
HeapFree.KERNEL32(00000000), ref: 001E17F5

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ad92727e035891521dee94cc605e4c1aa27574187b05610d2d5040c94b2658be
Instruction ID: 081383d00bfb0db8140b98558fcc4a0e868ae764c7a88f5c7e85cc950340918e
Opcode Fuzzy Hash: ad92727e035891521dee94cc605e4c1aa27574187b05610d2d5040c94b2658be
Instruction Fuzzy Hash: 0D11D036980A05FFDB109FA5DC49BEF7BB9EF45755F208028F48597210CB35A940CB60

Function 001E14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001E14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001E1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001E1515
CloseHandle.KERNEL32(00000004), ref: 001E1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001E154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001E1563

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f7717f3f2512c7c3a57334ba6d7f0f5352fa1a65333e02cc6e1740f5a3cbe777
Instruction ID: 4515d9509672b850677129fcb97d791bf1fe365a1f995ef2b24fecb49cc7088b
Opcode Fuzzy Hash: f7717f3f2512c7c3a57334ba6d7f0f5352fa1a65333e02cc6e1740f5a3cbe777
Instruction Fuzzy Hash: 93115676504249BBDF129FA8ED49BDE7BA9EF48704F148024FA05A21A0C7718E61DB60

Function 001A3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001A3379,001A2FE5), ref: 001A3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001A339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001A33B7
SetLastError.KERNEL32(00000000,?,001A3379,001A2FE5), ref: 001A3409

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 37a49a9b1971ed72aef28b2b0b9ef9f1f033380bff037a824966135aa16f71c8
Instruction ID: 3532c6cba62345ebf125c6608bf89c991fc24637b829d2a4a84dd06806c9ecbe
Opcode Fuzzy Hash: 37a49a9b1971ed72aef28b2b0b9ef9f1f033380bff037a824966135aa16f71c8
Instruction Fuzzy Hash: B601423F60E311BFAA692BB97C89B772A94EF2B3793300229F430882F0EF114E055144

Function 001B2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001B5686,001C3CD6,?,00000000,?,001B5B6A,?,?,?,?,?,001AE6D1,?,00248A48), ref: 001B2D78
_free.LIBCMT ref: 001B2DAB
_free.LIBCMT ref: 001B2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,001AE6D1,?,00248A48,00000010,00184F4A,?,?,00000000,001C3CD6), ref: 001B2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,001AE6D1,?,00248A48,00000010,00184F4A,?,?,00000000,001C3CD6), ref: 001B2DEC
_abort.LIBCMT ref: 001B2DF2

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5c8186f69d3b03add0917d446ca9f02e06fb50f5f9c1c234ef79259a25bdb52c
Instruction ID: e5ac5f2181554d7dfc4eb6fd488d01ffbb9ce9816031177ed6525e080beb29e8
Opcode Fuzzy Hash: 5c8186f69d3b03add0917d446ca9f02e06fb50f5f9c1c234ef79259a25bdb52c
Instruction Fuzzy Hash: 55F0FC3954561037C61237B8BC0EEDF2559AFE77A1F354518F838D31D6EF3488095160

Function 00218A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00199639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00199693
Part of subcall function 00199639: SelectObject.GDI32(?,00000000), ref: 001996A2
Part of subcall function 00199639: BeginPath.GDI32(?), ref: 001996B9
Part of subcall function 00199639: SelectObject.GDI32(?,00000000), ref: 001996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00218A4E
LineTo.GDI32(?,00000003,00000000), ref: 00218A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00218A70
LineTo.GDI32(?,00000000,00000003), ref: 00218A80
EndPath.GDI32(?), ref: 00218A90
StrokePath.GDI32(?), ref: 00218AA0

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6d11d4b772fb74fdb12cb2f92d6e0ca5e77162e517337904b51e6d08d3557847
Instruction ID: 0c299140a1c0aa416504fdba5ee69e964cabd6e04515331075ce8a1c0f34ffbb
Opcode Fuzzy Hash: 6d11d4b772fb74fdb12cb2f92d6e0ca5e77162e517337904b51e6d08d3557847
Instruction Fuzzy Hash: 5611F776040149FFDB129F94EC88EEA7FACEB18350F10C012BA199A1A1CB719D65DBA0

Function 001E51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001E5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001E5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001E5230
ReleaseDC.USER32(00000000,00000000), ref: 001E5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001E524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001E5261

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f3c0adbc2e53e95a9bada5299be27f2043885196e32882bd52c006c40b8469c6
Instruction ID: 392184195682f698d81810aa6a16c05f8eadace3554f9752f90c78521ba051b7
Opcode Fuzzy Hash: f3c0adbc2e53e95a9bada5299be27f2043885196e32882bd52c006c40b8469c6
Instruction Fuzzy Hash: 8D018475A40705BBEB105BA69C49A9EBF78EB58751F148065FA08A7280DA719900CB60

Function 00181BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00181BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00181BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00181C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00181C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00181C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00181C22

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2151c0a13a56858a28ed0cebee08e80af3442c0c960db77ad9603caa7412d156
Instruction ID: 61e2c67f53321e45fe01f4c7791b044cc48ab7f5153a7582e2b0e54d6292579e
Opcode Fuzzy Hash: 2151c0a13a56858a28ed0cebee08e80af3442c0c960db77ad9603caa7412d156
Instruction Fuzzy Hash: 390167B0942B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CBE5

Function 001EEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001EEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001EEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001EEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001EEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001EEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001EEB75

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3fd2a7e1ad161dd2e6a7740b918773493be7f5177977d7b5c82de7d6433eb901
Instruction ID: ac352fe1ea92370a47fd2ca5115edc4762b8baa2ef45f0bfd07b76f3203397fb
Opcode Fuzzy Hash: 3fd2a7e1ad161dd2e6a7740b918773493be7f5177977d7b5c82de7d6433eb901
Instruction Fuzzy Hash: 4EF03076580558BBE7215B52EC0DEEF3A7CEFDAB11F108158F611D1091DBA05A01C6B5

Function 001D7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 001D7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 001D7469
GetWindowDC.USER32(?), ref: 001D7475
GetPixel.GDI32(00000000,?,?), ref: 001D7484
ReleaseDC.USER32(?,00000000), ref: 001D7496
GetSysColor.USER32(00000005), ref: 001D74B0

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: cf76021b49918c208a4dca1dc0840237264f72e0786874b3940215d7cba16de2
Instruction ID: c99bc274a2e8b7052cd3067a3115379718ccc0377de30615e8d6af7a881181d1
Opcode Fuzzy Hash: cf76021b49918c208a4dca1dc0840237264f72e0786874b3940215d7cba16de2
Instruction Fuzzy Hash: 48018B35440215FFDB515F64EC0CBEA7BB6FB14311F618064F915A21A0CF311E51EB10

Function 001E1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001E187F
UnloadUserProfile.USERENV(?,?), ref: 001E188B
CloseHandle.KERNEL32(?), ref: 001E1894
CloseHandle.KERNEL32(?), ref: 001E189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001E18A5
HeapFree.KERNEL32(00000000), ref: 001E18AC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 522c962ecd33e1a52d4b9c936891499dbfd8b8221a8636e994aa06534cef5903
Instruction ID: 25cb0deca085d5360960f5f8d77f6aaaa51499e2af06e55e78d9299f9dcf5f2c
Opcode Fuzzy Hash: 522c962ecd33e1a52d4b9c936891499dbfd8b8221a8636e994aa06534cef5903
Instruction Fuzzy Hash: 86E0ED3A484211BBD7016FA1FD0C985BF39FF69721720C220F22981070CF725421DF90

Function 0018BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0018BEB3

Strings

D%%, xrefs: 0018BDED, 0018BD91, 0018BD1B
D%%, xrefs: 0018BCA2
D%%, xrefs: 0018BE9A
D%%D%%, xrefs: 0018BCA5

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%%$D%%$D%%$D%%D%%
API String ID: 1385522511-676076623
Opcode ID: 65ef531cbba3048c8123de59afe0df073b90f53c0de03c22e167688c3849934f
Instruction ID: e6fc7cf53b8f650e410de3893ed5fad7912119a22bacf50d1c37b2a1b71260b7
Opcode Fuzzy Hash: 65ef531cbba3048c8123de59afe0df073b90f53c0de03c22e167688c3849934f
Instruction Fuzzy Hash: 87913A75A0820ADFCB18DF98C0D06AAB7F1FF59314F64416AD945AB351E731AE81CF90

Function 001EC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00187620: _wcslen.LIBCMT ref: 00187625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001EC6EE
_wcslen.LIBCMT ref: 001EC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001EC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001EC7CA

Strings

0, xrefs: 001EC6AF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c860ff31114b13008b066b37497179c65e904b1846524d5c019f061b32aa47da
Instruction ID: 811962844adf31011f452041724ed57b7b97a49fd701813bfe6ff4c6f6d879b1
Opcode Fuzzy Hash: c860ff31114b13008b066b37497179c65e904b1846524d5c019f061b32aa47da
Instruction Fuzzy Hash: EE51F272A047819BD7149F2ACC85BAFB7E4AF5A310F04092DF991D3290DB70DD46CB92

Function 0020AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0020AEA3

Part of subcall function 00187620: _wcslen.LIBCMT ref: 00187625

GetProcessId.KERNEL32(00000000), ref: 0020AF38
CloseHandle.KERNEL32(00000000), ref: 0020AF67

Strings

<, xrefs: 0020AE6B
@, xrefs: 0020AE72

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: f6ccb496ccffab09a5afe691fd055bf659dc55e78a520e25fec309efcde93d13
Instruction ID: 717195bd68044981637d35a90a319c9411b3d35c80e63ed2746cf9e4aacbfad1
Opcode Fuzzy Hash: f6ccb496ccffab09a5afe691fd055bf659dc55e78a520e25fec309efcde93d13
Instruction Fuzzy Hash: 17715575A10719DFCB14EF54D484A9EBBF0BF08304F5484A9E816AB692CB71EE41CFA1

Function 001E719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001E7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001E723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001E724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001E72CF

Strings

DllGetClassObject, xrefs: 001E7242

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a82c770ac99c94b638bbe03974d64e65b168816c030980e8fae3dedbf873e51e
Instruction ID: 2e0a344ada61b976f6a86653d06f867b57229c84291ae9b7097c056b490f2641
Opcode Fuzzy Hash: a82c770ac99c94b638bbe03974d64e65b168816c030980e8fae3dedbf873e51e
Instruction Fuzzy Hash: 1341B671604646EFEB15CF55C884A9E7BB9EF54310F1580ADBE059F28AD7B0DD40CBA0

Function 00213D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00213E35
IsMenu.USER32(?), ref: 00213E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00213E92
DrawMenuBar.USER32 ref: 00213EA5

Strings

0, xrefs: 00213D89

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b28dd66a36e0348ba33e4347d52cb0d07ae442c4332bdf70e13de9e6249664e0
Instruction ID: 2aac30531199c1b21598c1d0f3b4abb4e84db21dca1f989d068f2fb578f842ad
Opcode Fuzzy Hash: b28dd66a36e0348ba33e4347d52cb0d07ae442c4332bdf70e13de9e6249664e0
Instruction Fuzzy Hash: 51414B75A1030AAFDB10DF50E884ADABBF6FF59350F144119E905A7290D730EEA4CF90

Function 001E1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 001E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001E3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001E1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001E1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 001E1EA9

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

Strings

ListBox, xrefs: 001E1E25
ComboBox, xrefs: 001E1DF0

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 4cebe19d24756393778b0b495d7155d8c976b3dcae1e775cff4940fa8c43f03c
Instruction ID: 0a45944edc1cf2942120a14a3005a15016d3f7645167af3b0496b71a70f4a196
Opcode Fuzzy Hash: 4cebe19d24756393778b0b495d7155d8c976b3dcae1e775cff4940fa8c43f03c
Instruction Fuzzy Hash: 84214775A00144BFDB1DAB75DC49CFFB7B8EF62350B244119F821A71E1DB344A0A8B20

Function 0020C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0020C9F1
_wcslen.LIBCMT ref: 0020CA68
_wcslen.LIBCMT ref: 0020CA9E
_wcslen.LIBCMT ref: 0020CAF9
_wcslen.LIBCMT ref: 0020CB2F
_wcslen.LIBCMT ref: 0020CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0020CA62, 0020CA67
HKLM, xrefs: 0020CA98, 0020CA9D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: a79991b9870bf9021d1bab39c4b470cdac90a024d84ad2d33b2df6637b22b1ed
Instruction ID: 9029b694ad4461d23a5a678769cc525beedf8684493012001e565b7181fd5f01
Opcode Fuzzy Hash: a79991b9870bf9021d1bab39c4b470cdac90a024d84ad2d33b2df6637b22b1ed
Instruction Fuzzy Hash: FE31F7B3B2036B4BCB20DF6CD8501BF33915BA1754B254229E8556B2C6E770CE64C3A0

Function 00212F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00212F8D
LoadLibraryW.KERNEL32(?), ref: 00212F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00212FA9
DestroyWindow.USER32(?), ref: 00212FB1

Strings

SysAnimate32, xrefs: 00212F68

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6a52cd59a31b010770809858e8e83968d0d44b6e320b727a44476a92dcef0639
Instruction ID: 528a4c7d98de328526719fc4fecc57f87cfb0664a7e536528fa71016bf795e31
Opcode Fuzzy Hash: 6a52cd59a31b010770809858e8e83968d0d44b6e320b727a44476a92dcef0639
Instruction Fuzzy Hash: 4D21887122020AEBEB204E64AC84EFB37F9EB69364F104218F95092590D771DCB69B60

Function 001A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001A4D1E,001B28E9,?,001A4CBE,001B28E9,002488B8,0000000C,001A4E15,001B28E9,00000002), ref: 001A4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001A4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,001A4D1E,001B28E9,?,001A4CBE,001B28E9,002488B8,0000000C,001A4E15,001B28E9,00000002,00000000), ref: 001A4DC3

Strings

mscoree.dll, xrefs: 001A4D86
CorExitProcess, xrefs: 001A4D98

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f60f570e2fb159768d5bf60a66e0100d48d634710b392e0b068983b26d07465
Instruction ID: 1b2f496822f9abaab5c60190cf2e1a7080833b9987e6c48a42660587b72db4e0
Opcode Fuzzy Hash: 0f60f570e2fb159768d5bf60a66e0100d48d634710b392e0b068983b26d07465
Instruction Fuzzy Hash: 7BF04F39A80218BBDB159F94EC4DBEDBBB5EF65751F1040A4F809A2260CF719A50CA90

Function 001DD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 001DD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001DD3BF
FreeLibrary.KERNEL32(00000000), ref: 001DD3E5

Strings

X64, xrefs: 001DD2A8
GetSystemWow64DirectoryW, xrefs: 001DD3B9

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 1f490e2ad8927c0704d970ed1b1b1934043ea63bd96596d377d68f7c883679ac
Instruction ID: 0f1930258f7716edec147c4bcddc9f319dcf37f40d939d914f80d159a0321ce0
Opcode Fuzzy Hash: 1f490e2ad8927c0704d970ed1b1b1934043ea63bd96596d377d68f7c883679ac
Instruction Fuzzy Hash: 04F0EC758D5611BBDB391B10BC5CDA97324BF21742B66815BF806E2214DF30CD508692

Function 00184E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00184EDD,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00184EAE
FreeLibrary.KERNEL32(00000000,?,?,00184EDD,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184EC0

Strings

kernel32.dll, xrefs: 00184E94
Wow64DisableWow64FsRedirection, xrefs: 00184EA8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e0cc1d52823a5851775f500b3d0eb2ca2f75842f8564ad8b92e7e8a58123cc40
Instruction ID: 8e62aad13d2188d299763c57a9403d9e9328fb16652d7566705d87d0c3dcc937
Opcode Fuzzy Hash: e0cc1d52823a5851775f500b3d0eb2ca2f75842f8564ad8b92e7e8a58123cc40
Instruction Fuzzy Hash: 40E0CD39A915236BD2312F257C1CBDF6654AF92F627154115FC04E2100DF64CE0145B4

Function 00184E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001C3CDE,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00184E74
FreeLibrary.KERNEL32(00000000,?,?,001C3CDE,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E87

Strings

kernel32.dll, xrefs: 00184E5B
Wow64RevertWow64FsRedirection, xrefs: 00184E6E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 095ba3874fe4ccd8a2ab9dda823432cfc957fe7641723643210f3da46ea2b776
Instruction ID: 15860a5bac030b6b5a8124e8cd60ad2bc1d2277382785565cefd2ab18a680534
Opcode Fuzzy Hash: 095ba3874fe4ccd8a2ab9dda823432cfc957fe7641723643210f3da46ea2b776
Instruction Fuzzy Hash: 20D0C2395826226766222B247C0CDCB6A18AF86B113254110B808E2110CF24CF018AE0

Function 001F2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001F2C05
DeleteFileW.KERNEL32(?), ref: 001F2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001F2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001F2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001F2CC0

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 83888f59b8c8aa54eb2e7c6c7c7e154905c649b130e5292eb74cb1e53842777f
Instruction ID: 5e45aa85175e8c743961c0215c2fe96d3f2d2be8d3a0610ef4d5e90c9af25838
Opcode Fuzzy Hash: 83888f59b8c8aa54eb2e7c6c7c7e154905c649b130e5292eb74cb1e53842777f
Instruction Fuzzy Hash: 28B11C71D0011DABDF25EBA4CC85EEEBBBDEF59350F1040A6FA09E6151EB309A448F61

Function 0020A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0020A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0020A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0020A468
CloseHandle.KERNEL32(?), ref: 0020A63D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: ff413aa2a30d7c3fe0d5ee5a8388152178e787c225fb7fd1d653768327e0f847
Instruction ID: baf0dca6256909ab898a2c0d3d87b59a18793d2ec652fc343754d38896dca864
Opcode Fuzzy Hash: ff413aa2a30d7c3fe0d5ee5a8388152178e787c225fb7fd1d653768327e0f847
Instruction Fuzzy Hash: 6DA1C3716043019FD720DF28D886F2AB7E5AF54714F54885CF55A9B3D2D7B0ED408B92

Function 001EE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001ECF22,?), ref: 001EDDFD

Part of subcall function 001EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001ECF22,?), ref: 001EDE16

Part of subcall function 001EE199: GetFileAttributesW.KERNEL32(?,001ECF95), ref: 001EE19A

lstrcmpiW.KERNEL32(?,?), ref: 001EE473
MoveFileW.KERNEL32(?,?), ref: 001EE4AC
_wcslen.LIBCMT ref: 001EE5EB
_wcslen.LIBCMT ref: 001EE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001EE650

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 90a66c4330714e14eb2d38d6044f1b0c15b9a77a2367afb9fb1b96307cbb2f83
Instruction ID: 46b77f2163c1438bcb8c6574902e1e269b4cb45aaeccf8d900f8cb14ca3ef42d
Opcode Fuzzy Hash: 90a66c4330714e14eb2d38d6044f1b0c15b9a77a2367afb9fb1b96307cbb2f83
Instruction Fuzzy Hash: 2C5173B24087859BC724EB90DC859EFB3ECAF95340F00491EF589D3191EF75A688CB66

Function 0020B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 0020C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0020B6AE,?,?), ref: 0020C9B5
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020C9F1
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA68
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0020BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0020BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0020BB63
RegCloseKey.ADVAPI32(?,?), ref: 0020BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0020BBB3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 150cfc3ff81db60b813195286f9abea5a6f83590e4ee781c466da8d3bb17a4ec
Instruction ID: 76d22e7fe8a7b5f07f354398a0a8446c227d1ae6520255ba1f989fef652cd73c
Opcode Fuzzy Hash: 150cfc3ff81db60b813195286f9abea5a6f83590e4ee781c466da8d3bb17a4ec
Instruction Fuzzy Hash: 05619D31218342AFD725DF24C490E2ABBE5FF84308F54895DF4998B2A2DB31ED45CB92

Function 001E8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001E8BCD
VariantClear.OLEAUT32 ref: 001E8C3E
VariantClear.OLEAUT32 ref: 001E8C9D
VariantClear.OLEAUT32(?), ref: 001E8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001E8D3B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: cc438dde0cd20b0b3147bf57237573204b1fb0cb56ebc0b407ce485cfe0d41cd
Instruction ID: 8d460379165f580d0d1bb06a50f6a619d0583aef4b8a5f9d95b67d70262a2a29
Opcode Fuzzy Hash: cc438dde0cd20b0b3147bf57237573204b1fb0cb56ebc0b407ce485cfe0d41cd
Instruction Fuzzy Hash: A7518AB5A00619EFCB14CF69C884AEAB7F9FF89310B118559E909DB350EB30E911CF90

Function 001F8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001F8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001F8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001F8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001F8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001F8C5F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: b7583439104cef58047780731f40fc5f973ea7f7e07e267da114d433ef233131
Instruction ID: 5f0a51600f05509e1a00edc5314abd8f1fe945082f2d6a50ac7370a3ed0582d3
Opcode Fuzzy Hash: b7583439104cef58047780731f40fc5f973ea7f7e07e267da114d433ef233131
Instruction Fuzzy Hash: 80515E35A006199FCB04EF64D880AADBBF5FF59314F188058E949AB362CB31ED41CFA0

Function 00208EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00208F40
GetProcAddress.KERNEL32(00000000,?), ref: 00208FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00208FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00209032
FreeLibrary.KERNEL32(00000000), ref: 00209052

Part of subcall function 0019F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001F1043,?,753CE610), ref: 0019F6E6
Part of subcall function 0019F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,001DFA64,00000000,00000000,?,?,001F1043,?,753CE610,?,001DFA64), ref: 0019F70D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 290d84e1d7c3196317ace2111d51dbc3dbedb99121ed1945e8fc3549c7fa86ac
Instruction ID: 00a44e6ccdfd5921e99297ee71fa7a76bb597e7fe7f654b600498b17af73a530
Opcode Fuzzy Hash: 290d84e1d7c3196317ace2111d51dbc3dbedb99121ed1945e8fc3549c7fa86ac
Instruction Fuzzy Hash: 5B514E35604206DFC715EF64C4848ADBBF1FF59314B588098E84A9B7A2DB31EE85CF90

Function 00216B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00216C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00216C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00216C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001FAB79,00000000,00000000), ref: 00216C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00216CC7

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 8b2b6b261731df661e2a022e1909f01ca71545e9649f1b0eee6cc8846edacc7b
Instruction ID: 7d2b3e4d83db230d37a340d4ed7de2c5c17921b8040db12360c6bd71db124baa
Opcode Fuzzy Hash: 8b2b6b261731df661e2a022e1909f01ca71545e9649f1b0eee6cc8846edacc7b
Instruction Fuzzy Hash: 7441B339624105AFD724CF28CC5CFED7BE5EB29350F154269F895A72E0C771ADA1CA80

Function 001B2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001B20C3
_free.LIBCMT ref: 001B20E3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3876d7330f3e215f604b49301e6f30195be9e20f1816aff02552fd5f658582c9
Instruction ID: 3ef9b7659c2fddc60aa6b847e9450c7087237ad84d0b3087a9c494ec5be2eeeb
Opcode Fuzzy Hash: 3876d7330f3e215f604b49301e6f30195be9e20f1816aff02552fd5f658582c9
Instruction Fuzzy Hash: DA41E476A00200AFCB24DF78C881A9DB7F5EF89314F254568F515EB355DB31AD05CB80

Function 0019912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00199141
ScreenToClient.USER32(00000000,?), ref: 0019915E
GetAsyncKeyState.USER32(00000001), ref: 00199183
GetAsyncKeyState.USER32(00000002), ref: 0019919D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4b7b4cfb7e2178ad698be85c98ca3298394e3633b46e59245841c724fc85ce03
Instruction ID: e36fe49dc52d91c56c770a648f914be9e0dc217e8ecb5dafde36754aeb5f7458
Opcode Fuzzy Hash: 4b7b4cfb7e2178ad698be85c98ca3298394e3633b46e59245841c724fc85ce03
Instruction Fuzzy Hash: DA414F71A0851AFBDF199F68C848BEEB775FB15330F21832AE425A62D0D7306954CB91

Function 001F3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001F38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001F3922
TranslateMessage.USER32(?), ref: 001F394B
DispatchMessageW.USER32(?), ref: 001F3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001F3966

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 42268c851a1f1c6f021bf04c8782a1e7ad7530f041dde4951bbbbcb02eccb443
Instruction ID: 27b40c538e52acbe0e1d38436c6f4dc363bfbca94cb3dbd9312783b33ba166bf
Opcode Fuzzy Hash: 42268c851a1f1c6f021bf04c8782a1e7ad7530f041dde4951bbbbcb02eccb443
Instruction Fuzzy Hash: 8B31D77094434AAEEB39CB34E85CBB637E8BB15349F14056DE672821E0E7F49A85CB11

Function 001FCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001FC21E,00000000), ref: 001FCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001FCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001FC21E,00000000), ref: 001FCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001FC21E,00000000), ref: 001FCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001FC21E,00000000), ref: 001FCFF2

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 640fc6de7882adc2ad71df16e2189f6c39ceaca48b94ca66a76c410a347e8cf1
Instruction ID: 283376caaa185548d75f6564a2ea7f54a1b90081c15873bdb962bd64cf03374c
Opcode Fuzzy Hash: 640fc6de7882adc2ad71df16e2189f6c39ceaca48b94ca66a76c410a347e8cf1
Instruction Fuzzy Hash: E6314F7190420DAFDB24DFA5D984ABBFBF9EB14350B10842EF616D2140DB30AE41EBA0

Function 001E1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001E1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001E19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001E19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001E19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001E19E2

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: de3afb56e8d3ded7b4a2ec7a47610ea5b85a428f17246a8064f0444fe9013043
Instruction ID: f82175239c725627edca002ba7e17f305dfd595e0f34a2d2b041d7b581399d25
Opcode Fuzzy Hash: de3afb56e8d3ded7b4a2ec7a47610ea5b85a428f17246a8064f0444fe9013043
Instruction Fuzzy Hash: B331D171900259FFCB04CFA8DD98ADE3BB5EB54318F108225F921A72D1C7709944CB90

Function 00215706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00215745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0021579D
_wcslen.LIBCMT ref: 002157AF
_wcslen.LIBCMT ref: 002157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00215816

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e7995e2430d70f53c9de5b0f0d207f7b339cd340b067fdaa3bf070ca36a73229
Instruction ID: 1a55759543808ec3e533088613b05813ffea6c7556068fa3f376a269f0533e50
Opcode Fuzzy Hash: e7995e2430d70f53c9de5b0f0d207f7b339cd340b067fdaa3bf070ca36a73229
Instruction Fuzzy Hash: A221B134920628DADB209F60CC85AEEB7B8FFA4324F108256E919AA1C0D77089E5CF50

Function 00200930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00200951
GetForegroundWindow.USER32 ref: 00200968
GetDC.USER32(00000000), ref: 002009A4
GetPixel.GDI32(00000000,?,00000003), ref: 002009B0
ReleaseDC.USER32(00000000,00000003), ref: 002009E8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: cf4ebae789cb8de7251728d22b25df11f26e97b67f75aaaee11bc5c26bd2b064
Instruction ID: 056249b5a332878e7a0a13ce46767204fb4a8ac4d703d73f5a279b2abf5606aa
Opcode Fuzzy Hash: cf4ebae789cb8de7251728d22b25df11f26e97b67f75aaaee11bc5c26bd2b064
Instruction Fuzzy Hash: 12218179600204AFD704EF65D888AAEBBE9EF54700F148068E94AD7362CB70AD04CB50

Function 001BCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001BCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001BCDE9

Part of subcall function 001B3820: RtlAllocateHeap.NTDLL(00000000,?,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6,?,00181129), ref: 001B3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001BCE0F
_free.LIBCMT ref: 001BCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001BCE31

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c8c0ecda425dc2d7f0400cb6ad59c31506bc8a00f2721a3e957ebd00bc6e77a4
Instruction ID: 57e67a4a2cda897a2fcfc22d4c737347c37a04084fecfe91e3398e399100bb6e
Opcode Fuzzy Hash: c8c0ecda425dc2d7f0400cb6ad59c31506bc8a00f2721a3e957ebd00bc6e77a4
Instruction Fuzzy Hash: 20018476601215BF23211AB66C8CDFB6E6DDED6BA13254129F905DB201EF61CD0181F0

Function 00199639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00199693
SelectObject.GDI32(?,00000000), ref: 001996A2
BeginPath.GDI32(?), ref: 001996B9
SelectObject.GDI32(?,00000000), ref: 001996E2

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0af6c1c22de6fd57924770c14924e703b4b48e562ee15686825ee82f5183db54
Instruction ID: db3b105bdb4f76fe1dead13735e925ad8df2ac6c615c0418db7c71c695ef6be8
Opcode Fuzzy Hash: 0af6c1c22de6fd57924770c14924e703b4b48e562ee15686825ee82f5183db54
Instruction Fuzzy Hash: CD215E70802345EBDF119F68FC1C7E93BA9BB51366F20461AF415A61B0D77098A5CF98

Function 001E5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001E5726
_memcmp.LIBVCRUNTIME ref: 001E5744
_memcmp.LIBVCRUNTIME ref: 001E5757
_memcmp.LIBVCRUNTIME ref: 001E576F
_memcmp.LIBVCRUNTIME ref: 001E5787

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c5370346f9b5800946cb2bbc55e009a8551e77fb071efd99e4fcffccb0bace9d
Instruction ID: a9aec0f2c4c5dafe1a36332c70cbb2905a666de4993a72200cabb265d960c595
Opcode Fuzzy Hash: c5370346f9b5800946cb2bbc55e009a8551e77fb071efd99e4fcffccb0bace9d
Instruction Fuzzy Hash: F4019665A45E45FA970899129E52FFF739EAF323ACF844021FD149A241F760ED7082E0

Function 001B2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001AF2DE,001B3863,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6), ref: 001B2DFD
_free.LIBCMT ref: 001B2E32
_free.LIBCMT ref: 001B2E59
SetLastError.KERNEL32(00000000,00181129), ref: 001B2E66
SetLastError.KERNEL32(00000000,00181129), ref: 001B2E6F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 940d7b6e0fa95ec6cd57b57fa52b0043562b4435797a0827d7fab1bfa8f78522
Instruction ID: bd9a138846716deb0e89bc47b79698cfdf32f9b7a37bdef36a2e60cd2c5d8278
Opcode Fuzzy Hash: 940d7b6e0fa95ec6cd57b57fa52b0043562b4435797a0827d7fab1bfa8f78522
Instruction Fuzzy Hash: 1801CD3614561077C61367767C89DEB155DABE57757354428F839A32D2EF74CC0D4120

Function 001E000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?,?,001E035E), ref: 001E002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?), ref: 001E0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?), ref: 001E0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?), ref: 001E0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?), ref: 001E0070

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7d28a2097ba79eaa68c2af1462e026e855966cf10ae01b971d1a77e951901f9e
Instruction ID: 19d930eba8fd8a3a89e6b5be8dd2e239574d3aa2e8fbe41b84febdf3d47bd202
Opcode Fuzzy Hash: 7d28a2097ba79eaa68c2af1462e026e855966cf10ae01b971d1a77e951901f9e
Instruction Fuzzy Hash: 3E01A776640604BFDB125F6AEC48BEE7AEDEF48791F258114F905D2210DBB1DD808760

Function 001EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001EE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001EE9A5
Sleep.KERNEL32(00000000), ref: 001EE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001EE9B7
Sleep.KERNEL32 ref: 001EE9F3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 840827f713f0740f2c7d05f26b54fd9719b2cb9909d5a48a4ef0f68482a85ac0
Instruction ID: 9bad4be2a676bd61bfbcca13b1e4178c1b0cbdae847ecff7cd72730e9d96f60c
Opcode Fuzzy Hash: 840827f713f0740f2c7d05f26b54fd9719b2cb9909d5a48a4ef0f68482a85ac0
Instruction Fuzzy Hash: 3E015B35C41A29EBCF009FE6E85DAEDBBB8BB18704F114556E902B2242CB309590C7A1

Function 001E10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001E1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001E114D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b7ff3c631f3f5a696f5f030f3a3d84082a50214489bd0e6340da4fd6fedd071c
Instruction ID: 8e766090c2cca05b82c100446dbeedc85c51b01408d16278f0a807c5b0f4cb20
Opcode Fuzzy Hash: b7ff3c631f3f5a696f5f030f3a3d84082a50214489bd0e6340da4fd6fedd071c
Instruction Fuzzy Hash: EE011D79140705BFDB114F65EC4DAAA3B6EEF85360B244425FA45D7350DF71DC109A60

Function 001E0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001E0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001E0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001E0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001E0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001E1002

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4e1579f8bab344b9a401c682ebf713e0faa1bdb9998bac16bea3ef191e7252c7
Instruction ID: 4a2576844eabb531e2c6a1b26a5daf58abec0b0c83e4dc9b8463e5e2c74b090e
Opcode Fuzzy Hash: 4e1579f8bab344b9a401c682ebf713e0faa1bdb9998bac16bea3ef191e7252c7
Instruction Fuzzy Hash: 6AF04F39180751BBD7215FA5AC4DF9A3B6EEF99761F218414F949C6291CE70DC408A60

Function 001E1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001E102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001E1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001E1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001E104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001E1062

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c38cfb53f4073e6def0ed566f086f0d157c406a9d8caba36faa1648191df777f
Instruction ID: 4bb9e937b69e0f2ea17e031917875c533cde37d5cbb3baa82e0067e99756f34a
Opcode Fuzzy Hash: c38cfb53f4073e6def0ed566f086f0d157c406a9d8caba36faa1648191df777f
Instruction Fuzzy Hash: DCF04939280751BBDB215FA5EC4DF9A3BAEEF99761F214824FA49C6250CE70D8408A60

Function 001F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F0324
CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F0331
CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F033E
CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F034B
CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F0358
CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F0365

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6450e2b2ddb89ac96bf1938d4fa86c9cf3e9953b175e2a937b8306bf307c5960
Instruction ID: 9606c89dfbc2be1baf84530137517f319dd9b9602f3ae688632605d3fac2c5ef
Opcode Fuzzy Hash: 6450e2b2ddb89ac96bf1938d4fa86c9cf3e9953b175e2a937b8306bf307c5960
Instruction Fuzzy Hash: 2D01A276800B199FC731AF66D880822F7F5BF643153158A3FD29652932C771A954CF80

Function 001BD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001BD752

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001BD764
_free.LIBCMT ref: 001BD776
_free.LIBCMT ref: 001BD788
_free.LIBCMT ref: 001BD79A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2f251cd16138562842b6a093a169d913e95df1321bb82d0b95b609d154e5a5ad
Instruction ID: dd49ca0b59fc92b5dc53de1f08f37028b655c1baa5d7f898dada154cc1ed8e21
Opcode Fuzzy Hash: 2f251cd16138562842b6a093a169d913e95df1321bb82d0b95b609d154e5a5ad
Instruction Fuzzy Hash: 6EF09032501218BB8669EB68F9CACDA7BDDBB05318BA40C05F04DE7502DF30FC808A64

Function 001E5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001E5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 001E5C6F
MessageBeep.USER32(00000000), ref: 001E5C87
KillTimer.USER32(?,0000040A), ref: 001E5CA3
EndDialog.USER32(?,00000001), ref: 001E5CBD

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5125660cfd82f61aa1a2c783ff2dad5b4df288f85c6d1b19bdf965b3be8720bf
Instruction ID: 33bcdbad6d072956c61e5f634b848ee73a7d10d34e2ae81c587bce837f73795c
Opcode Fuzzy Hash: 5125660cfd82f61aa1a2c783ff2dad5b4df288f85c6d1b19bdf965b3be8720bf
Instruction Fuzzy Hash: 7C01D634540B44ABEB245B11ED5EFEA77BDBF54B09F100159B183A20E1DBF0A984CB90

Function 001B22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001B22BE

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001B22D0
_free.LIBCMT ref: 001B22E3
_free.LIBCMT ref: 001B22F4
_free.LIBCMT ref: 001B2305

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b4bab28f38015beee61b84747b69e743b16cd341f8297bdedeeb9785957c9568
Instruction ID: 9ac88229c8750f3832a675a35b392da3b1df4fb4a49d6b7461c851f2ccc9f38a
Opcode Fuzzy Hash: b4bab28f38015beee61b84747b69e743b16cd341f8297bdedeeb9785957c9568
Instruction Fuzzy Hash: D2F054B44013309B8653AF58BC499983B64F729752B110A06F818D3671CB3004259FE9

Function 001995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001995D4
StrokeAndFillPath.GDI32(?,?,001D71F7,00000000,?,?,?), ref: 001995F0
SelectObject.GDI32(?,00000000), ref: 00199603
DeleteObject.GDI32 ref: 00199616
StrokePath.GDI32(?), ref: 00199631

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5bd9a94226a121e6ce1d137d5ebcfc73071f49329c1e7c22f04f3cd27a24f3f8
Instruction ID: 52c795031acf647a84857515581bd19fcc619d98f537ceab2a1f0a8ad73b4e69
Opcode Fuzzy Hash: 5bd9a94226a121e6ce1d137d5ebcfc73071f49329c1e7c22f04f3cd27a24f3f8
Instruction Fuzzy Hash: EDF04934046348EBDB265F69FD1CBA93F61BB25323F248258F469950F0CB3189A5DF68

Function 001B0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001B10F9
__freea.LIBCMT ref: 001B1117

Part of subcall function 001B1537: _free.LIBCMT ref: 001B154F

Strings

a/p, xrefs: 001B11DE
am/pm, xrefs: 001B117A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4e7a7d9b47d133fa887008bc63ada8a89b1d96579aafd9f174876520e53413ea
Instruction ID: edd2c25c23eb94ca5ad3fb8d0e4c56ca92f8c6a12bc86089d5853535e2da62bd
Opcode Fuzzy Hash: 4e7a7d9b47d133fa887008bc63ada8a89b1d96579aafd9f174876520e53413ea
Instruction Fuzzy Hash: 19D10731900206FADB289F68C865BFEB7F1FF16310FAB4159E9019B660E3759D80CB91

Function 002061D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 001A0242: EnterCriticalSection.KERNEL32(0025070C,00251884,?,?,0019198B,00252518,?,?,?,001812F9,00000000), ref: 001A024D
Part of subcall function 001A0242: LeaveCriticalSection.KERNEL32(0025070C,?,0019198B,00252518,?,?,?,001812F9,00000000), ref: 001A028A

Part of subcall function 001A00A3: __onexit.LIBCMT ref: 001A00A9

__Init_thread_footer.LIBCMT ref: 00206238

Part of subcall function 001A01F8: EnterCriticalSection.KERNEL32(0025070C,?,?,00198747,00252514), ref: 001A0202
Part of subcall function 001A01F8: LeaveCriticalSection.KERNEL32(0025070C,?,00198747,00252514), ref: 001A0235

Part of subcall function 001F359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001F35E4
Part of subcall function 001F359C: LoadStringW.USER32(00252390,?,00000FFF,?), ref: 001F360A

Strings

x#%, xrefs: 00206353
x#%, xrefs: 0020636F
x#%, xrefs: 0020633A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#%$x#%$x#%
API String ID: 1072379062-3923245774
Opcode ID: 34ad6938e245d93991ab63cdbc97f321a08a91fad7c44d7c6ca264aec44126cc
Instruction ID: a88373a132eb9bfe571ed6237fbc27d1bb4d14b60f88969bb3c7641a1af698c2
Opcode Fuzzy Hash: 34ad6938e245d93991ab63cdbc97f321a08a91fad7c44d7c6ca264aec44126cc
Instruction Fuzzy Hash: 11C1B271A10206AFDB14DF58C894EBEB7B9FF59300F548069F9059B292DB70EE64CB90

Function 00207B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 001A0242: EnterCriticalSection.KERNEL32(0025070C,00251884,?,?,0019198B,00252518,?,?,?,001812F9,00000000), ref: 001A024D
Part of subcall function 001A0242: LeaveCriticalSection.KERNEL32(0025070C,?,0019198B,00252518,?,?,?,001812F9,00000000), ref: 001A028A

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 001A00A3: __onexit.LIBCMT ref: 001A00A9

__Init_thread_footer.LIBCMT ref: 00207BFB

Part of subcall function 001A01F8: EnterCriticalSection.KERNEL32(0025070C,?,?,00198747,00252514), ref: 001A0202
Part of subcall function 001A01F8: LeaveCriticalSection.KERNEL32(0025070C,?,00198747,00252514), ref: 001A0235

Strings

Variable must be of type 'Object'., xrefs: 00207C3A
5, xrefs: 00207C78
G, xrefs: 00207C7F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 7f0f9bbe958d6c6357f4a91687aa983e50a36de7d4cb1716114a8ebcdcda9358
Instruction ID: 018d3e56c1e68ea581b5406131c00f591d09354264b5a2e75495357e31ca0816
Opcode Fuzzy Hash: 7f0f9bbe958d6c6357f4a91687aa983e50a36de7d4cb1716114a8ebcdcda9358
Instruction Fuzzy Hash: CA919C74A24309EFDB04EF54D8909BEB7B1FF59300F50805AF806AB292DB71AE65CB50

Function 001E2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001EB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001E21D0,?,?,00000034,00000800,?,00000034), ref: 001EB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001E2760

Part of subcall function 001EB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001E21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001EB3F8

Part of subcall function 001EB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001EB355
Part of subcall function 001EB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001E2194,00000034,?,?,00001004,00000000,00000000), ref: 001EB365
Part of subcall function 001EB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001E2194,00000034,?,?,00001004,00000000,00000000), ref: 001EB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001E27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001E281A

Strings

@, xrefs: 001E2832

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 73a54e685f8bbe2abdc72e012e5484f4759d94548039ab77924ca2a5e9b27da9
Instruction ID: 4d4ac3d6e05ce07b0122a71a88068aa30f0721945bbe482c4f5832b799ce480f
Opcode Fuzzy Hash: 73a54e685f8bbe2abdc72e012e5484f4759d94548039ab77924ca2a5e9b27da9
Instruction Fuzzy Hash: 92416C72900218AFDB14DFA5CD86EEEBBB8AF19300F104055FA45B7180DB706E45CBA1

Function 001B172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 001B1769
_free.LIBCMT ref: 001B1834
_free.LIBCMT ref: 001B183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 001B1760, 001B1767, 001B1796, 001B17CE

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 4c05e5be198430cff387028c504c04264c7953edc243b33318f3ffd7aaa6e87a
Instruction ID: 0ec1a8576644a4a1073156279141890ccd95cc6e30f8d317fe0ef9f0e0d1d28a
Opcode Fuzzy Hash: 4c05e5be198430cff387028c504c04264c7953edc243b33318f3ffd7aaa6e87a
Instruction Fuzzy Hash: 02318E75A40258BBDB21DF99A885DDEBBFCEB95310F51416AF804D7211DB708E40CB90

Function 001EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001EC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001EC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00251990,012D55B8), ref: 001EC395

Strings

0, xrefs: 001EC2DF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: d8b3ace6ab02b752911e6303bbdc4360184d8e87cc8cdf1bcfeae155e7a9fccb
Instruction ID: 72b03ef7f217c0af21f01190c71253e9d7dd86e5fe4b1d387bcb7517bf134dbe
Opcode Fuzzy Hash: d8b3ace6ab02b752911e6303bbdc4360184d8e87cc8cdf1bcfeae155e7a9fccb
Instruction Fuzzy Hash: 8F418E312047819FD724DF26DC84B5EBBA8BF95310F14861DF9A5972D1D730A905CBA2

Function 00214416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0021CC08,00000000,?,?,?,?), ref: 002144AA
GetWindowLongW.USER32 ref: 002144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002144D7

Strings

SysTreeView32, xrefs: 0021447C

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7bab549ca31426cdb9b42ab3037fd4df32f0468ad84c75a46d0785673e48df44
Instruction ID: be6bc8a449d756288d36116ecbf1ca94f8c8b9e43c8fe5478972c2bd10d9245b
Opcode Fuzzy Hash: 7bab549ca31426cdb9b42ab3037fd4df32f0468ad84c75a46d0785673e48df44
Instruction Fuzzy Hash: CA318F71220206AFDF20AE38DC45BDA77A9EB28334F244715F979921D0D770ECA09B50

Function 0020304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0020335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00203077,?,?), ref: 00203378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0020307A
_wcslen.LIBCMT ref: 0020309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00203106

Strings

255.255.255.255, xrefs: 00203095, 0020309A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b69a29a53c44f1f36f160c867475ec470d4f03d9f4a88be88a8cc7f8aa4083c1
Instruction ID: c0cf71c2d219f9f17fc8c6faaa51751e197d99d3fdd4319c1aa9dc7f40ed107c
Opcode Fuzzy Hash: b69a29a53c44f1f36f160c867475ec470d4f03d9f4a88be88a8cc7f8aa4083c1
Instruction Fuzzy Hash: DE31C4392103069FCB10CF28C485EAAB7E9EF55318F258059E8158B3D3DB72DE55CB60

Function 00213EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00213F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00213F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00213F78

Strings

SysMonthCal32, xrefs: 00213F0B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 1bc2cd8fc5d9bd56c099f9cfb0cc50d50bb8c1155b115a7f122a974cf847e7a9
Instruction ID: 35fb4c5e8c18ed1cec0d5db5da1f8ff9231517e90ec5dfc424e2712e75808eab
Opcode Fuzzy Hash: 1bc2cd8fc5d9bd56c099f9cfb0cc50d50bb8c1155b115a7f122a974cf847e7a9
Instruction Fuzzy Hash: 4C21BF32610219BFDF25CF50DC46FEA3BBAEF58714F110214FA156B1D0D6B1A9A1CB90

Function 00214653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00214705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00214713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0021471A

Strings

msctls_updown32, xrefs: 00214684

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5a3c707e1d7bd1c482e246b77e9d0bb2a86b20f590b7fe69f90f7e9db58cd27b
Instruction ID: 84d2107ec18b2bd02335d823b73239a89724156778ca5924e3bc877b75f51bd1
Opcode Fuzzy Hash: 5a3c707e1d7bd1c482e246b77e9d0bb2a86b20f590b7fe69f90f7e9db58cd27b
Instruction Fuzzy Hash: 262190B5610209AFDB10EF64ECC5DA737EDEF6A794B100049FA049B291CB70EC62CB60

Function 001E95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001E961D

Strings

#OnAutoItStartRegister, xrefs: 001E95F3
#notrayicon, xrefs: 001E95B7
#requireadmin, xrefs: 001E95D9

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f5cf186f20385b78e608d8b3fa766905a677f205ca2e81241e723aa6ac5e87b1
Instruction ID: a4d6cb5c41738e87563e938f653d2a69fe1554131d2a0cf2cd4dbbb578ead35d
Opcode Fuzzy Hash: f5cf186f20385b78e608d8b3fa766905a677f205ca2e81241e723aa6ac5e87b1
Instruction Fuzzy Hash: F1215E7220499066D735BB269C02FBF73D89F7A314F204427F95997081EB51DE92C3D5

Function 002137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00213840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00213850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00213876

Strings

Listbox, xrefs: 0021380F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f08762a705b1311a31681bea1093138c9d868d579d8bea67ab18899fd1358a18
Instruction ID: 48a3c5f3893a2a2421af07584003976477e59fa22d5e40b0d77b28982ccc50a2
Opcode Fuzzy Hash: f08762a705b1311a31681bea1093138c9d868d579d8bea67ab18899fd1358a18
Instruction Fuzzy Hash: 3D21A1726202197BEF11CF54DC45EEB77AFEF99750F118124F9049B190C6719CA28B90

Function 001F49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001F4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001F4A5C
SetErrorMode.KERNEL32(00000000,?,?,0021CC08), ref: 001F4AD0

Strings

%lu, xrefs: 001F4A6F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7313604977fba54232c760f119e415f40cc5e9c0e0cf8dff4442cccb7706432d
Instruction ID: d2c497112011af128272ca9faee7433d0b58b9defeb24d2d1d5d286cbf200395
Opcode Fuzzy Hash: 7313604977fba54232c760f119e415f40cc5e9c0e0cf8dff4442cccb7706432d
Instruction Fuzzy Hash: BB315175A40109AFDB10DF54C885EAA7BF8EF19308F1480A9F909DB252DB71EE45CBA1

Function 002141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0021424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00214264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00214271

Strings

msctls_trackbar32, xrefs: 00214226

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0ceb41d19220c56c3f2038c7dee8a53a543423bfad8ce0374126880057016f1a
Instruction ID: 290675b82310f680618d658efe9b66342022ac60e0f3f28bafe1386d68df0cf2
Opcode Fuzzy Hash: 0ceb41d19220c56c3f2038c7dee8a53a543423bfad8ce0374126880057016f1a
Instruction Fuzzy Hash: C6110631250249BEEF206F28CC06FEB3BECEFA5B54F110124FA59E2090D671DCA19B10

Function 001E2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

Part of subcall function 001E2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001E2DC5
Part of subcall function 001E2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001E2DD6
Part of subcall function 001E2DA7: GetCurrentThreadId.KERNEL32 ref: 001E2DDD
Part of subcall function 001E2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001E2DE4

GetFocus.USER32 ref: 001E2F78

Part of subcall function 001E2DEE: GetParent.USER32(00000000), ref: 001E2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001E2FC3
EnumChildWindows.USER32(?,001E303B), ref: 001E2FEB

Strings

%s%d, xrefs: 001E2FFF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 00b2c105c0eea7b00d6fb326852287a2d0d07b28f9db24fb6a0eb32a1c39b1a7
Instruction ID: 7b1ac285dd331726b025e40e83eeb751da1e1155092d6d1ca86aa9e5b74cc12c
Opcode Fuzzy Hash: 00b2c105c0eea7b00d6fb326852287a2d0d07b28f9db24fb6a0eb32a1c39b1a7
Instruction Fuzzy Hash: 0211E1B57002456BCF047FB19C99EEE376EAFA4314F048075FA199B292DF309A498B60

Function 00215882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002158EE
DrawMenuBar.USER32(?), ref: 002158FD

Strings

0, xrefs: 0021588F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: e32a3fcd4d83fdfd9707687a2604ab133871aa3d0c6e5ff20a70c2761f91ec7a
Instruction ID: 85fce72586280e7396a94891eaf95a43d9eced80a2e9f2f7c603a2116f3ab462
Opcode Fuzzy Hash: e32a3fcd4d83fdfd9707687a2604ab133871aa3d0c6e5ff20a70c2761f91ec7a
Instruction Fuzzy Hash: 61015B35510228EFDB219F11EC48BEEBBB9FF95360F208099E849D6151DB708A94DF61

Function 001E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894fbd5c5bc3062cc588a9cdda582494a851f29a57a6d636615b0c4c6dd57c1a
Instruction ID: 1d053d54434a5fac0721194ad27a6c7f4737158a4503581f01dd46c449ebdad4
Opcode Fuzzy Hash: 894fbd5c5bc3062cc588a9cdda582494a851f29a57a6d636615b0c4c6dd57c1a
Instruction Fuzzy Hash: 96C17C75A00646EFCB15CFA5C898EAEB7B5FF48304F218598E505EB251C771EE81CB90

Function 001B3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001B3F0B
__alldvrm.LIBCMT ref: 001B410C
__alldvrm.LIBCMT ref: 001B412E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 01debfdcff022bcbc395e04c03f8f505bf347096a663c8fb660ed1559d0294fd
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: DFA14472E002869FEB25DE18C891BFEBBE4EF66350F18816DE5959B282C3349981C751

Function 0020342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00203459
CoUninitialize.OLE32 ref: 00203463
VariantInit.OLEAUT32(?), ref: 0020346E
VariantClear.OLEAUT32(?), ref: 0020371B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 3c8b445fca3789827396e1775ba12df6c3763ac12a8a4021d748ecd6f0ae03bd
Instruction ID: a31309442f83fa63791bff7a08dc24e63f17d3fff63dd843dd6e123e99ce780e
Opcode Fuzzy Hash: 3c8b445fca3789827396e1775ba12df6c3763ac12a8a4021d748ecd6f0ae03bd
Instruction Fuzzy Hash: 86A14C756147019FC700EF28C485A2ABBE9FF98714F148859F9899B3A2DB31EE01CF91

Function 001E0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0021FC08,?), ref: 001E05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0021FC08,?), ref: 001E0608
CLSIDFromProgID.OLE32(?,?,00000000,0021CC40,000000FF,?,00000000,00000800,00000000,?,0021FC08,?), ref: 001E062D
_memcmp.LIBVCRUNTIME ref: 001E064E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 686d288262e1dbe27582bff14f0c3a8097dd1a6600d6fa8d59d7b13cece50e72
Instruction ID: 3b003adfd830b4aaf01b7fa977a69f979f09066c170d364344939474f6ef3f6b
Opcode Fuzzy Hash: 686d288262e1dbe27582bff14f0c3a8097dd1a6600d6fa8d59d7b13cece50e72
Instruction Fuzzy Hash: 04814975A00609EFCB05DF94C988EEEB7B9FF89315F204158E506AB250DB71AE46CF60

Function 0020A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0020A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0020A6BA

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Process32NextW.KERNEL32(00000000,?), ref: 0020A79C
CloseHandle.KERNEL32(00000000), ref: 0020A7AB

Part of subcall function 0019CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,001C3303,?), ref: 0019CE8A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d997d58c7fba04af52bf6408e632f9ef43f70cf244c53fa5adb34af7a6003d5f
Instruction ID: 09fbcee08b1a410ac47121f88b69997bb4c90d5556275d40729c4f2f48899f3b
Opcode Fuzzy Hash: d997d58c7fba04af52bf6408e632f9ef43f70cf244c53fa5adb34af7a6003d5f
Instruction Fuzzy Hash: 8B512D71508311AFD710EF24D886A6BBBE8FF99754F40891DF58997292EB30DA04CF92

Function 001C1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001C14C0

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2da0a3d659b4cfda5586796b6c747cacddf69574ee4e2148415c7bfd8251e00a
Instruction ID: 8a5d46db44a1a387a5d35b03a1e6ccce4877815901ef7f927bdd4c53255f50f4
Opcode Fuzzy Hash: 2da0a3d659b4cfda5586796b6c747cacddf69574ee4e2148415c7bfd8251e00a
Instruction Fuzzy Hash: 2A413A35980500BBDB296BF99C46FBE3AA5EF73370F24466DF419D2293E734C8425261

Function 00216278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002162E2
ScreenToClient.USER32(?,?), ref: 00216315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00216382

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 694ffa069282980bf93ec604c053672d6af283e0b919452dfcca9752ad0efcb2
Instruction ID: acb391de7722d22080a6fd281f1cf26cec0701177adc439b9baae35fa7a3c4ba
Opcode Fuzzy Hash: 694ffa069282980bf93ec604c053672d6af283e0b919452dfcca9752ad0efcb2
Instruction Fuzzy Hash: 5D513C74A1020AAFCB14DF54D888AEE7BF5EF65760F208199F82597290D770EDA1CB50

Function 00201AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00201AFD
WSAGetLastError.WSOCK32 ref: 00201B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00201B8A
WSAGetLastError.WSOCK32 ref: 00201B94

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: b440b2e3aaea06d23ccadae8bcd2f3fd37c01847a16828c2e9094102e0b33f39
Instruction ID: 94a12abc1d40389d3b3472177d108db5a6b530b7c3b4953587e08b3ad66ced5d
Opcode Fuzzy Hash: b440b2e3aaea06d23ccadae8bcd2f3fd37c01847a16828c2e9094102e0b33f39
Instruction Fuzzy Hash: D641B034640300AFE720AF24D88AF2977E5AB54718F548488FA1A9F7D3D772DD528B90

Function 001BB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9c65cdf04e54399cc17d791a19767e8132870c44c2a297e182f4e1279d4e6b
Instruction ID: 7d30fca46fd0aba15cab37c011c523381e55ecc2db23b315b116c6c3715c46c1
Opcode Fuzzy Hash: cc9c65cdf04e54399cc17d791a19767e8132870c44c2a297e182f4e1279d4e6b
Instruction Fuzzy Hash: E0412976A04704BFD724AF78CC81BEABBE9EB99710F10452EF142DB682D7B1D9018780

Function 001F56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001F5783
GetLastError.KERNEL32(?,00000000), ref: 001F57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001F57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001F57FA

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9f3e478d2cbe2a830c138e64ee48706153cd51caf4ef88c34bdfa6e56d398adb
Instruction ID: 032c59a9c1405b641d07749a976302c9503f6abd3693a7e326b84ae7a0fd0e5a
Opcode Fuzzy Hash: 9f3e478d2cbe2a830c138e64ee48706153cd51caf4ef88c34bdfa6e56d398adb
Instruction Fuzzy Hash: EB410B39600A14DFCB11EF15D544A5EBBE2AF99720B19C488E95AAB362CB34FD40CF91

Function 001BD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,001A6D71,00000000,00000000,001A82D9,?,001A82D9,?,00000001,001A6D71,8BE85006,00000001,001A82D9,001A82D9), ref: 001BD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001BD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001BD9AB
__freea.LIBCMT ref: 001BD9B4

Part of subcall function 001B3820: RtlAllocateHeap.NTDLL(00000000,?,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6,?,00181129), ref: 001B3852

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2082b86b6fd4bbe31c3ed69addad6742f5835b9cb045f8f32e1cdbabf73252a8
Instruction ID: d26abbc9556fab4853f4ef070e0ea287504da05dadc1e2cd46fc08a4adf433b0
Opcode Fuzzy Hash: 2082b86b6fd4bbe31c3ed69addad6742f5835b9cb045f8f32e1cdbabf73252a8
Instruction Fuzzy Hash: 8231BC72A0020AABDF299F64EC85EEE7BA5EB51314F154268FC04D7250EB35CD50CBA0

Function 002152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00215352
GetWindowLongW.USER32(?,000000F0), ref: 00215375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00215382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002153A8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 5dc527f7d41c2fcdcb12ed7fd5afa1f4704c7f66df0b1560332afbd01160cd97
Instruction ID: f4dc017a660a9eabb4314245abe4f0bc5aaa60acfa5a77cb1719cfdd847e7388
Opcode Fuzzy Hash: 5dc527f7d41c2fcdcb12ed7fd5afa1f4704c7f66df0b1560332afbd01160cd97
Instruction Fuzzy Hash: F331E634A75A29EFEB349E14DC05BE837E5ABA4390F5441C2FA20971E0C7F49DE0AB41

Function 001EAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 001EABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001EAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001EAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 001EACC6

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 08990334750f155c7aa153132e0678114322c0f31df561200bf505905c5d3b8e
Instruction ID: 46a57ea9fe70e17a4cb22611eaee0d95b61178f89adbc4a75615a64dd314ccee
Opcode Fuzzy Hash: 08990334750f155c7aa153132e0678114322c0f31df561200bf505905c5d3b8e
Instruction Fuzzy Hash: AE313930A40B986FEF34CB668C087FE7FA5AF95310FA8431AE485571D0C374A9858753

Function 00217674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0021769A
GetWindowRect.USER32(?,?), ref: 00217710
PtInRect.USER32(?,?,00218B89), ref: 00217720
MessageBeep.USER32(00000000), ref: 0021778C

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a688231199140ed2fe0e116b56744ac411789ab147d0e7a15399aeef55658d93
Instruction ID: bccec3dd7a55615e5e0a0b19996620cd709ac552401c6a6dfdda0fcf26f6dfd1
Opcode Fuzzy Hash: a688231199140ed2fe0e116b56744ac411789ab147d0e7a15399aeef55658d93
Instruction Fuzzy Hash: E041AD38A15215DFCB01CF58D898EE9F7F5FBA9314F1480A8E4149B2A1C730E9A2CF90

Function 002116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002116EB

Part of subcall function 001E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001E3A57
Part of subcall function 001E3A3D: GetCurrentThreadId.KERNEL32 ref: 001E3A5E
Part of subcall function 001E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001E25B3), ref: 001E3A65

GetCaretPos.USER32(?), ref: 002116FF
ClientToScreen.USER32(00000000,?), ref: 0021174C
GetForegroundWindow.USER32 ref: 00211752

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9ba6e7a204aa1e466b068d319960caf2daafc680796e97687e24b25540aa371a
Instruction ID: 40cc8c5bec253c7b443b7ca82b6fbba86019fb3cda1fb8028806b8b98e487909
Opcode Fuzzy Hash: 9ba6e7a204aa1e466b068d319960caf2daafc680796e97687e24b25540aa371a
Instruction Fuzzy Hash: CE315D75D00149AFDB00EFA9D8858EEBBF9EF58304B6080A9E515E7251DB319E45CFA0

Function 001EDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00187620: _wcslen.LIBCMT ref: 00187625

_wcslen.LIBCMT ref: 001EDFCB
_wcslen.LIBCMT ref: 001EDFE2
_wcslen.LIBCMT ref: 001EE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 001EE018

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 6990c455dbdd9fc1724df91e11009594fb7f6543ab9046d776c23cd8170bd731
Instruction ID: dc55476b6cbd4270fa3fdb826fbd11294e66ae1a9623a2d0dec2c5e4da456a1e
Opcode Fuzzy Hash: 6990c455dbdd9fc1724df91e11009594fb7f6543ab9046d776c23cd8170bd731
Instruction Fuzzy Hash: 7521B575900614EFCB10EFA8D981BAEB7F8EF9A750F244065F805BB241D7709E41CBA1

Function 00218FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

GetCursorPos.USER32(?), ref: 00219001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001D7711,?,?,?,?,?), ref: 00219016
GetCursorPos.USER32(?), ref: 0021905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001D7711,?,?,?), ref: 00219094

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2cd16b3d28ec5cb65d2c6778bb6028beaba0fcca20874b929a106e66e21367bd
Instruction ID: 590ba3ac0c2896055f0f6af5f63cf619b51938b9d30817503de00268c02f8203
Opcode Fuzzy Hash: 2cd16b3d28ec5cb65d2c6778bb6028beaba0fcca20874b929a106e66e21367bd
Instruction Fuzzy Hash: BD21AD35610118AFCB25CF94D868FEA3BF9EB99361F104069F90557261C7319DE0DB60

Function 001ED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0021CB68), ref: 001ED2FB
GetLastError.KERNEL32 ref: 001ED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001ED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0021CB68), ref: 001ED376

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 5aacce4636d98cefde58f0d8ec4136ff93b285a49d16060baac7c9d8d11de685
Instruction ID: 387e1d226f27c01456a2303197a163b5096ce188d3731ca852847c1b0f1350bd
Opcode Fuzzy Hash: 5aacce4636d98cefde58f0d8ec4136ff93b285a49d16060baac7c9d8d11de685
Instruction Fuzzy Hash: BA21D3B45086019F8300EF25E8814AEB7E4FF66724F244A1DF499C72E1DB30DA45CB93

Function 001E1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001E102A
Part of subcall function 001E1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001E1036
Part of subcall function 001E1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001E1045
Part of subcall function 001E1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001E104C
Part of subcall function 001E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001E1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001E15BE
_memcmp.LIBVCRUNTIME ref: 001E15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E1617
HeapFree.KERNEL32(00000000), ref: 001E161E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 73fa9177ef6e517b00c65be157de24f33e6a57d80369d5e487addc03e4bae560
Instruction ID: 06a202e58f6918a7ce0fc5ccdd695f7ad0c8777fb1578c9c52a57d6d25ff19d7
Opcode Fuzzy Hash: 73fa9177ef6e517b00c65be157de24f33e6a57d80369d5e487addc03e4bae560
Instruction Fuzzy Hash: BE216631E40608BFDF00DFA6C949BEEB7F8EF59354F188459E445AB241E770AA05CBA0

Function 00212782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0021280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00212824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00212832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00212840

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 63a64b8e0c15fd8b95815db690df31a76cd62ceb61b814501998da1397ff3ef1
Instruction ID: 62e0c7c66083a2862d9fe5a393047d521153742fc2cdf94afbd7a666b15c4a90
Opcode Fuzzy Hash: 63a64b8e0c15fd8b95815db690df31a76cd62ceb61b814501998da1397ff3ef1
Instruction Fuzzy Hash: 1C21F435214111EFD7149B24D844FEABB95EF65324F248158F4268B2D2CB71FCA6CBD0

Function 001E78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001E8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001E790A,?,000000FF,?,001E8754,00000000,?,0000001C,?,?), ref: 001E8D8C
Part of subcall function 001E8D7D: lstrcpyW.KERNEL32(00000000,?,?,001E790A,?,000000FF,?,001E8754,00000000,?,0000001C,?,?,00000000), ref: 001E8DB2
Part of subcall function 001E8D7D: lstrcmpiW.KERNEL32(00000000,?,001E790A,?,000000FF,?,001E8754,00000000,?,0000001C,?,?), ref: 001E8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001E8754,00000000,?,0000001C,?,?,00000000), ref: 001E7923
lstrcpyW.KERNEL32(00000000,?,?,001E8754,00000000,?,0000001C,?,?,00000000), ref: 001E7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001E8754,00000000,?,0000001C,?,?,00000000), ref: 001E7984

Strings

cdecl, xrefs: 001E797B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 50448e4f318ee3fea68b6de8ad03592c9d1f0549fdded9e30561964b41a6c305
Instruction ID: abc14888a7653a265cb9170ef7841e54210e948523a639cac05271d6b908eed7
Opcode Fuzzy Hash: 50448e4f318ee3fea68b6de8ad03592c9d1f0549fdded9e30561964b41a6c305
Instruction Fuzzy Hash: 7411293A200782ABDF156F39DC44E7E77A5FF55364B10802AF806C72A5EF319811C751

Function 00217CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00217D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00217D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00217D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001FB7AD,00000000), ref: 00217D6B

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: a63e152044db7900e0f34f2441963a07f904f5ca502b9886c4e420d33cbab11a
Instruction ID: fa893dbec992f4e07320cec8397752e03bb2dc4f8b564d961e9fe94ca61f74a2
Opcode Fuzzy Hash: a63e152044db7900e0f34f2441963a07f904f5ca502b9886c4e420d33cbab11a
Instruction Fuzzy Hash: 9E11A535525619AFCB109F28EC08AE63BF5AF95365B258724F835D71F0D73099B0CB90

Function 00215660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002156BB
_wcslen.LIBCMT ref: 002156CD
_wcslen.LIBCMT ref: 002156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00215816

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 4e07f421c6b270f642d2b6c9d47aa1184fa63603c820d01bb431e4bcc33b7ed8
Instruction ID: 9a51a2c5a79aaf9606eb0d85ecfbbf262788eae534157a56fe3d7b7c1cb441ac
Opcode Fuzzy Hash: 4e07f421c6b270f642d2b6c9d47aa1184fa63603c820d01bb431e4bcc33b7ed8
Instruction Fuzzy Hash: 7811E435620629D6DB209F61CC85AEE77ECBFB5364B1040A6F905D6081EBB089E0CBA0

Function 001B1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70aace948e19170e1555408b6438a07073847967c7d36e7b155d76b3f18244b2
Instruction ID: 5e4bf9ba61311efb7cf3b83ae31a06c844e6d31241dd2d9b49c974d9822f38d8
Opcode Fuzzy Hash: 70aace948e19170e1555408b6438a07073847967c7d36e7b155d76b3f18244b2
Instruction Fuzzy Hash: E001ADB220A65A7EF62126B8BCD8FE7661CDF517B8F720325F525A11D2DB708C004170

Function 001E1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001E1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001E1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001E1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001E1A8A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f4094be47c3d70794f89114a1e63e0801b2e17035f0088b64ee4e1604d0ff5c7
Instruction ID: 493a62f0a5ad621815a0e89f2ed47ecec3de3a78b8150363411968330f036f84
Opcode Fuzzy Hash: f4094be47c3d70794f89114a1e63e0801b2e17035f0088b64ee4e1604d0ff5c7
Instruction Fuzzy Hash: A811393AD01259FFEB10DBA5CD85FADBB79EB48750F2000A1EA01B7290D7716E50DB94

Function 001EE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001EE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001EE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001EE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001EE24D

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 81bceb2948686ebaad94d0a7f4ae90f3c038237d5e3692d2bbce3869cbbe82e1
Instruction ID: 543ee8324e56b0fca3627876cd11075eb6922d7b6a66ad18c8a9d7439aa45981
Opcode Fuzzy Hash: 81bceb2948686ebaad94d0a7f4ae90f3c038237d5e3692d2bbce3869cbbe82e1
Instruction Fuzzy Hash: E811087A904255BBC7019FA8BC0DBDE7FAC9B45321F108255F925D3290D7B0890487A0

Function 001AD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,001ACFF9,00000000,00000004,00000000), ref: 001AD218
GetLastError.KERNEL32 ref: 001AD224
__dosmaperr.LIBCMT ref: 001AD22B
ResumeThread.KERNEL32(00000000), ref: 001AD249

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b92dba293b8eaa077ba71622408a661a2604d0e1ff9769ba536666b392cf2040
Instruction ID: bf94c438bef13abe1670563b577b27c3236d7e53a7caf7876b32560fe7200ef2
Opcode Fuzzy Hash: b92dba293b8eaa077ba71622408a661a2604d0e1ff9769ba536666b392cf2040
Instruction Fuzzy Hash: D201D67E4455047BC7116BA5EC09BAE7A69DF93330F20425AF926925D0DF70C905C6A0

Function 00219EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

GetClientRect.USER32(?,?), ref: 00219F31
GetCursorPos.USER32(?), ref: 00219F3B
ScreenToClient.USER32(?,?), ref: 00219F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00219F7A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: fda9ffe16317e78268db530e6e8ff3014323c26655fe3709c67797f044c77874
Instruction ID: 37398e39fb48ba75b4d9435bc6e8b07079901e57347656900053a248f3a3e4f6
Opcode Fuzzy Hash: fda9ffe16317e78268db530e6e8ff3014323c26655fe3709c67797f044c77874
Instruction Fuzzy Hash: 9C11853691021ABBDB10DFA8D8999EE77B9FB55311F504461F802E3040C730BAE2CBA1

Function 0018600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0018604C
GetStockObject.GDI32(00000011), ref: 00186060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0018606A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 651830dda14b4daf496bfd8f5766a86872a2792cde72ee4c12a03d5a1c6d4bc1
Instruction ID: 0b43fe52e3d74a6b5d077544118ec868737b9e0ce67390828cf8dd36866b88f4
Opcode Fuzzy Hash: 651830dda14b4daf496bfd8f5766a86872a2792cde72ee4c12a03d5a1c6d4bc1
Instruction Fuzzy Hash: 9411AD72101508BFEF165FA49C48EEABB6DEF183A4F104205FA0452110CB36DD60DFA4

Function 001A3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001A3B56

Part of subcall function 001A3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 001A3AD2
Part of subcall function 001A3AA3: ___AdjustPointer.LIBCMT ref: 001A3AED

_UnwindNestedFrames.LIBCMT ref: 001A3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 001A3B7C
CallCatchBlock.LIBVCRUNTIME ref: 001A3BA4

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cab9de5d83afc1d6b6022b67b0fb2fc8224a42260f2ecc0ec4951937660f6bcd
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D7014C36100148BBDF125E95DC42EEB7F6EEF9A754F044014FE5896121C772E961EBA0

Function 001B3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001813C6,00000000,00000000,?,001B301A,001813C6,00000000,00000000,00000000,?,001B328B,00000006,FlsSetValue), ref: 001B30A5
GetLastError.KERNEL32(?,001B301A,001813C6,00000000,00000000,00000000,?,001B328B,00000006,FlsSetValue,00222290,FlsSetValue,00000000,00000364,?,001B2E46), ref: 001B30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001B301A,001813C6,00000000,00000000,00000000,?,001B328B,00000006,FlsSetValue,00222290,FlsSetValue,00000000), ref: 001B30BF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: adc47acd30c47889a6f3304bfe401a745a8cc2731c539fa71def087377780fcd
Instruction ID: 479e3d75ed82c9e5a37c8f1957f27bd53424f93ff1d96105658ccca1b6b7b798
Opcode Fuzzy Hash: adc47acd30c47889a6f3304bfe401a745a8cc2731c539fa71def087377780fcd
Instruction Fuzzy Hash: 9E01F73A745332ABCB315B78BC489E77B98AF55B61B214620FD26E3140CF31D911C6E0

Function 001E7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001E747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001E7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001E74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001E74CA

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: a493f59941fa36955b3f626c2c171d78485f2e4fadada581d57d4329890db852
Instruction ID: 3c4b45774a18fec1f9b4d53b00743bd947b942f7940dca7ce0f136c22abf95f0
Opcode Fuzzy Hash: a493f59941fa36955b3f626c2c171d78485f2e4fadada581d57d4329890db852
Instruction Fuzzy Hash: 75118EB5249754ABF7208F15EC0CB967BFCEB00B00F108569A616D61D1DB70E944DB60

Function 001EB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001EACD3,?,00008000), ref: 001EB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001EACD3,?,00008000), ref: 001EB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001EACD3,?,00008000), ref: 001EB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001EACD3,?,00008000), ref: 001EB126

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 104d9a11e3e75ab4bc0711d475fc09ed41f7c5cd6200330f8f09fe0247ae9838
Instruction ID: 8d76d555a57f27f14c289111c06fe79e8ff66403ab31271894ecd4dfd8f0a845
Opcode Fuzzy Hash: 104d9a11e3e75ab4bc0711d475fc09ed41f7c5cd6200330f8f09fe0247ae9838
Instruction Fuzzy Hash: 98117970C44A68E7CF04AFE6E9A86EFBB78FF19720F118096E941B2181CB3056509B51

Function 00217E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00217E33
ScreenToClient.USER32(?,?), ref: 00217E4B
ScreenToClient.USER32(?,?), ref: 00217E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00217E8A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 7baaf6c1ee389eb40ada288292804d2c680cc2113585eab4f034dbee544315f7
Instruction ID: ac768b3739afd5a68cc281da45c8b2971aebc1a781a838be3d32f7179b5a6617
Opcode Fuzzy Hash: 7baaf6c1ee389eb40ada288292804d2c680cc2113585eab4f034dbee544315f7
Instruction Fuzzy Hash: EF1186B9D0024AAFDB41CF98D8849EEBBF9FF18310F108056E911E3210D734AA55CF90

Function 001E2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001E2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001E2DD6
GetCurrentThreadId.KERNEL32 ref: 001E2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001E2DE4

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b13d52b0b6538fb104c50564d248678018292838083f976996f1a14f8f3bf774
Instruction ID: f1e9837e3b36c6253290564876bcf62e23192b4dd89c5dca685757a19ddcf84c
Opcode Fuzzy Hash: b13d52b0b6538fb104c50564d248678018292838083f976996f1a14f8f3bf774
Instruction Fuzzy Hash: 55E06D755816647AD7201BA3AC0DEEB3E6CFBA2BA1F104125F205D1080DEA08840C6B0

Function 00218863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00199639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00199693
Part of subcall function 00199639: SelectObject.GDI32(?,00000000), ref: 001996A2
Part of subcall function 00199639: BeginPath.GDI32(?), ref: 001996B9
Part of subcall function 00199639: SelectObject.GDI32(?,00000000), ref: 001996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00218887
LineTo.GDI32(?,?,?), ref: 00218894
EndPath.GDI32(?), ref: 002188A4
StrokePath.GDI32(?), ref: 002188B2

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: dc1f47fe8bddcc6daeff8ddc39adffdade6562dd655d6b895819d0b2a41ca08b
Instruction ID: 9b618df6961a43dc3673bd74733e774c0de2bf1426d66989168ec6c63336d318
Opcode Fuzzy Hash: dc1f47fe8bddcc6daeff8ddc39adffdade6562dd655d6b895819d0b2a41ca08b
Instruction Fuzzy Hash: 01F05E3A081259FADB125F94BC0EFCE3F59AF2A311F248000FA11650E1CB755561CFE9

Function 001998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001998CC
SetTextColor.GDI32(?,?), ref: 001998D6
SetBkMode.GDI32(?,00000001), ref: 001998E9
GetStockObject.GDI32(00000005), ref: 001998F1

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4b51e290ae98ad0799c85b93c172a3d2d1e9c8007663107a00f6171457e4004a
Instruction ID: 7ed24c1a4871f3da675df05be6a54f6cdc7d52b65093c2742951bd09c95f1084
Opcode Fuzzy Hash: 4b51e290ae98ad0799c85b93c172a3d2d1e9c8007663107a00f6171457e4004a
Instruction Fuzzy Hash: 08E065352C4240BADF215B74BC0DBE93F11AB21335F24C21AF6F9541E1C77146409F11

Function 001E162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001E1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001E11D9), ref: 001E163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001E11D9), ref: 001E1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001E11D9), ref: 001E164F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 43f9706b65c444fccbdcebafca67e5ef4742d108aa3a3a33c1a5043d1de32413
Instruction ID: 703ae75c565b1787a5fa1d42ee03f9c05118eb06e13767f22999f5d93bcd3b3e
Opcode Fuzzy Hash: 43f9706b65c444fccbdcebafca67e5ef4742d108aa3a3a33c1a5043d1de32413
Instruction Fuzzy Hash: 3DE08639641211EBD7201FA1BD0DBCB3B7CBF68791F24C808F645C9080DB744540C750

Function 001DD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001DD858
GetDC.USER32(00000000), ref: 001DD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001DD882
ReleaseDC.USER32(?), ref: 001DD8A3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 31cab3f434ec0b4be761b805700291260dda0451a879e13bc2d9622758d21a73
Instruction ID: b8a312a6080d78b14d389e47153c7a06adf626b62204f81b82cb71b1d31e5b3d
Opcode Fuzzy Hash: 31cab3f434ec0b4be761b805700291260dda0451a879e13bc2d9622758d21a73
Instruction Fuzzy Hash: 16E01278840204DFCF419FA0E80C6ADBBB5FB58310F25D005F91AE7250CB354501AF50

Function 001DD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001DD86C
GetDC.USER32(00000000), ref: 001DD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001DD882
ReleaseDC.USER32(?), ref: 001DD8A3

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bf0c02a54abc171166626527477988940231deca18f47bb3870928ac0c4aa594
Instruction ID: 571d00ce62ddcd12e5311af759e3f99a48c28f7c8c662866f463052b3798d0b1
Opcode Fuzzy Hash: bf0c02a54abc171166626527477988940231deca18f47bb3870928ac0c4aa594
Instruction Fuzzy Hash: 7BE09A79C40204DFCF51AFA4E80C6AEBBB5BB68311B249449F95AE7250CB395A019F50

Function 001F4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00187620: _wcslen.LIBCMT ref: 00187625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001F4ED4

Strings

LPT, xrefs: 001F4DFB
*, xrefs: 001F4E10

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 63126c555c56cd3a579ccd30d684d91d2dbe1a4fbbe2225192c3410a729580ed
Instruction ID: 3ac04f17d7d6a8885c593f9069bcc4f1f722d55b5c8a29cfe684c674fab075c7
Opcode Fuzzy Hash: 63126c555c56cd3a579ccd30d684d91d2dbe1a4fbbe2225192c3410a729580ed
Instruction Fuzzy Hash: 9E918175A002089FCB14DF58C484EBABBF1BF45314F198099E94A9F3A2D735EE85CB90

Function 001AE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001AE30D

Strings

pow, xrefs: 001AE2E5, 001AE302

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5bba3afa8d6bae5f196ecb6e131831e846819b19db7f98d5c19c58d36eaf0a91
Instruction ID: 117a93bece759ce18eaa06f84512300665341315e312d3dd1e7d9efb5174d019
Opcode Fuzzy Hash: 5bba3afa8d6bae5f196ecb6e131831e846819b19db7f98d5c19c58d36eaf0a91
Instruction Fuzzy Hash: 93518E65A0C202A6CF257764DD053F93BE8FF91780F308D99F0D6822E9EB35CC959A46

Function 00207771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(001D569E,00000000,?,0021CC08,?,00000000,00000000), ref: 002078DD

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

CharUpperBuffW.USER32(001D569E,00000000,?,0021CC08,00000000,?,00000000,00000000), ref: 0020783B

Strings

<s$, xrefs: 002077C8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s$
API String ID: 3544283678-3928034050
Opcode ID: a8088c30524aa7931da841855b4ce87cc3b22f11c00229e9faa81e249ae78d00
Instruction ID: 5575dc7c90b20635a6e86a3f654b5f52395ea98d4d34d2b4a828e7e055d98f98
Opcode Fuzzy Hash: a8088c30524aa7931da841855b4ce87cc3b22f11c00229e9faa81e249ae78d00
Instruction Fuzzy Hash: 50613A76924219ABCF04FBA4CC91DFDB378BF28700B544129E542A7092EF64AA15DBA0

Function 0019E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0019E1B1

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9cf4b09956c092b60c4d76233025f0d947eaf2a38432cb6a7b5d2460e7904d28
Instruction ID: f568d011f7208c93c890b5f41389180025b1c71475faec358f2bf16647449f5e
Opcode Fuzzy Hash: 9cf4b09956c092b60c4d76233025f0d947eaf2a38432cb6a7b5d2460e7904d28
Instruction Fuzzy Hash: A651F075904246DFDF19EF68C481AFA7BE8EF65311F24405AE8919F2D0DB349E42CBA0

Function 0019F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0019F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0019F2BB

Strings

@, xrefs: 0019F2AF

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2d7c778334f64aa97c44cca117e52220ce0fd62803d5e0a056703761f108c10e
Instruction ID: 3fbb31d181fbd23dd27576c483b759f8b4e43092116dc3d58e0166b818d8b8a8
Opcode Fuzzy Hash: 2d7c778334f64aa97c44cca117e52220ce0fd62803d5e0a056703761f108c10e
Instruction Fuzzy Hash: 425147714087449BE320AF14EC86BAFBBF8FF95304F91885DF2D951195EB308629CB66

Function 00205745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002057E0
_wcslen.LIBCMT ref: 002057EC

Strings

CALLARGARRAY, xrefs: 002057E6, 002057EB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: fadecd5a82cd123b03f6ff56b231a2a3dade20204f5a2b1389f18ef1c6cd3eee
Instruction ID: 67a03ae9e8d7d7e13279e0d57e79fd38698668da142f58830eea5acf3eda0ba7
Opcode Fuzzy Hash: fadecd5a82cd123b03f6ff56b231a2a3dade20204f5a2b1389f18ef1c6cd3eee
Instruction Fuzzy Hash: CC419031A1061A9FCB04DFA9C8858BEBBB5FF69310F148069E905A7292E7709D91CF90

Function 001FD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001FD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001FD13A

Strings

|, xrefs: 001FD10B

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a03060fff5f825c36132c059a4b4283b3b84dac02c5bf49e2642a0c857b85927
Instruction ID: c57c5c1d97b99b27d4b3beb40fef9a9ee58dc1668c2ff28590fb2d546eca1d31
Opcode Fuzzy Hash: a03060fff5f825c36132c059a4b4283b3b84dac02c5bf49e2642a0c857b85927
Instruction Fuzzy Hash: A7312C75D00209ABCF15EFA4DC85AEEBFBAFF19300F100059F915A6162DB31AA16DF60

Function 0021356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00213621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0021365C

Strings

static, xrefs: 002135BC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b7c097dd11118e1de60723658dcad1e2d5b9fb6c69ca0fc64d74879fabf1c44f
Instruction ID: beed33ef54d9d4b0cf9e4b578c3eea0715e8dbb5e167efc7b4c96addedf67ac4
Opcode Fuzzy Hash: b7c097dd11118e1de60723658dcad1e2d5b9fb6c69ca0fc64d74879fabf1c44f
Instruction Fuzzy Hash: CC318071110205AADB10DF28DC80AFB73EEFFA8764F108619F96597180DB30ADA1CB64

Function 00214537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0021461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00214634

Strings

', xrefs: 0021458E

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5b2ad80ae7dcc3ac8636eb659d0d446bd4daf0a1f971fb74845067db97b9dd65
Instruction ID: 03f79103a95c7f13b49d1b56e65703ba96e716dd5de180600ad1f98afb7ab595
Opcode Fuzzy Hash: 5b2ad80ae7dcc3ac8636eb659d0d446bd4daf0a1f971fb74845067db97b9dd65
Instruction Fuzzy Hash: 87314974A0030AAFDB14DF69C980BDA7BFAFF29300F54406AE908AB341D770A951CF90

Function 002131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0021327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00213287

Strings

Combobox, xrefs: 00213249

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0e9cc93ab56e8944c0937db14d8f94670ffabfcd6d87fa33fd9c0b9744014f9d
Instruction ID: efaabf2121d266270f4f2627cc7e08b30ea0ebbe9974075fa40310fdcafc242d
Opcode Fuzzy Hash: 0e9cc93ab56e8944c0937db14d8f94670ffabfcd6d87fa33fd9c0b9744014f9d
Instruction Fuzzy Hash: 4A1182713202097FFF25EE54DC85EFB37ABEBA8364F104125F91897290D6719DA18B60

Function 00213710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0018600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0018604C
Part of subcall function 0018600E: GetStockObject.GDI32(00000011), ref: 00186060
Part of subcall function 0018600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0018606A

GetWindowRect.USER32(00000000,?), ref: 0021377A
GetSysColor.USER32(00000012), ref: 00213794

Strings

static, xrefs: 00213757

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d89ce050cd387b607e15e6660d21e8ef43946827e4b055d62b0225716877ec3f
Instruction ID: d1307b332fddd44192a071df9a073958a4943e3d6f42b57e2677a48a7ea39b27
Opcode Fuzzy Hash: d89ce050cd387b607e15e6660d21e8ef43946827e4b055d62b0225716877ec3f
Instruction Fuzzy Hash: 77116AB262020AAFDF11DFA8CC49EEA7BF9FB18314F104514F955E2250D734E9619B50

Function 001FCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001FCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001FCDA6

Strings

<local>, xrefs: 001FCD66

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a7177ca8c53e785f7c9afac563cbe31f186c043e5f4ec396a4b162e9b88cb2d8
Instruction ID: ed50aeb23afd505cff7b1eab9c0e02b624120a172022ec4fc702a57b20433750
Opcode Fuzzy Hash: a7177ca8c53e785f7c9afac563cbe31f186c043e5f4ec396a4b162e9b88cb2d8
Instruction Fuzzy Hash: 1111CA7564563D79D7384BA68C49FFBBE5CEF127A4F104225B20983080D7705841E6F0

Function 00213429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002134BA

Strings

edit, xrefs: 0021348F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7be12363f0030d5cff690756ae5e8bc3ce6f5020947517a83e7950a31199ee2f
Instruction ID: 122bf57dfd80b90fdcceefc6ef6bbd03c09cdd13ceeee6852415dee344026806
Opcode Fuzzy Hash: 7be12363f0030d5cff690756ae5e8bc3ce6f5020947517a83e7950a31199ee2f
Instruction Fuzzy Hash: 1F118F71120209AFEB219E64EC44AFB37ABEB25374F604324F965931D0C771DDA19B54

Function 001E6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

CharUpperBuffW.USER32(?,?,?), ref: 001E6CB6
_wcslen.LIBCMT ref: 001E6CC2

Strings

STOP, xrefs: 001E6CBC, 001E6CC1

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 3cef5ec0a1bdd8b46ac681e2fb513c9ad3ba7cc522364b65f152bf4a2cb51cfe
Instruction ID: 3f2b8da5efa3da4ebba664c69fab3e084acc30c6dbdf959e6b81394fccb0fa8e
Opcode Fuzzy Hash: 3cef5ec0a1bdd8b46ac681e2fb513c9ad3ba7cc522364b65f152bf4a2cb51cfe
Instruction Fuzzy Hash: 5C01C4326109A68BCB20AFFEDC909BF77A5FB717907E10529E89297191EB31D940C750

Function 001E1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 001E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001E3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001E1D4C

Strings

ListBox, xrefs: 001E1D16
ComboBox, xrefs: 001E1CEB

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6bf869ed2c384afbca3066d064af7afb38990df68f8776ee671fcf3b5e32f411
Instruction ID: e76176968ff3282a23f127368de1fadbe9001d6bdb7e41872e15e16392f73ea2
Opcode Fuzzy Hash: 6bf869ed2c384afbca3066d064af7afb38990df68f8776ee671fcf3b5e32f411
Instruction Fuzzy Hash: 8B01B575641658ABCB08FBA5CC598FE73A8FB66350B14091AB872672C1EB3159088B60

Function 001E1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 001E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001E3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001E1C46

Strings

ListBox, xrefs: 001E1C10
ComboBox, xrefs: 001E1BE5

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: de106258ebe5c59c0864b93e90e84fa3669a9d6e165ff4a968e5791240877d58
Instruction ID: 9364dbeaa91b819245975e69456bbbab4c133cac29b61f5d384457a47fa55aa6
Opcode Fuzzy Hash: de106258ebe5c59c0864b93e90e84fa3669a9d6e165ff4a968e5791240877d58
Instruction Fuzzy Hash: AB01A7757815487BCB08FB91D9559FF77A89F22340F240019B416B7282EB319F189BB1

Function 001E1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 001E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001E3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 001E1CC8

Strings

ListBox, xrefs: 001E1C94
ComboBox, xrefs: 001E1C69

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4ebec9d5d63e3ff142424679dba9fb78871ab0a420f60391088b0cbcd5645a01
Instruction ID: bd74d4d0974b0d11269f6ef7ab4f83b6bdaefae2bfb129b63e93917e9bdbc3f6
Opcode Fuzzy Hash: 4ebec9d5d63e3ff142424679dba9fb78871ab0a420f60391088b0cbcd5645a01
Instruction Fuzzy Hash: B401D67568155877CB08FBA1CA05AFE73AC9B22340F680015B812B7282EB319F18DB71

Function 001E1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 001E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001E3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 001E1DD3

Strings

ListBox, xrefs: 001E1DA0
ComboBox, xrefs: 001E1D75

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4033818a2dae47811a85b4fb328ac295eb181cd29b1cbec0826303aff39f20b8
Instruction ID: 79c6caa65e6f85117b3483dd8aa18f61d946d9b1be6d56fdab7bbc14c89a6ba7
Opcode Fuzzy Hash: 4033818a2dae47811a85b4fb328ac295eb181cd29b1cbec0826303aff39f20b8
Instruction Fuzzy Hash: 76F0F471A4161877CB08F7E5CC5AAFE736CBB22340F580915B822672C2EB719A088760

Function 00218172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00253018,0025305C), ref: 002181BF
CloseHandle.KERNEL32 ref: 002181D1

Strings

\0%, xrefs: 0021818A

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0%
API String ID: 3712363035-245754994
Opcode ID: 2e33d2152d152e6883c23f9b48c7d46a8b83cf0151e870ef05527e3976c7fbb8
Instruction ID: 979529f3ee274ad5b7675172cfb1f5be331c51682be7bb2362696d3db0a35830
Opcode Fuzzy Hash: 2e33d2152d152e6883c23f9b48c7d46a8b83cf0151e870ef05527e3976c7fbb8
Instruction Fuzzy Hash: 46F05EB6650300BAE720AB65BC49FB73A5CEB197A2F005460FB08D51E2D6768E1482FC

Function 0020747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00207493
_wcslen.LIBCMT ref: 002074B9

Strings

3, 3, 16, 1, xrefs: 00207483

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: c4b1202cba776ed1d2131395a1bd55ac3ade88fbf62b943f2222a801cfa17936
Instruction ID: 8efe590b71e3e839715ddf10ff0b0365761797353908a758741696d31a9461df
Opcode Fuzzy Hash: c4b1202cba776ed1d2131395a1bd55ac3ade88fbf62b943f2222a801cfa17936
Instruction Fuzzy Hash: 7EE02B0AA2436111D3311A799CC197F96ADDFDA750710182BF981C22A7EBD49DB193A0

Function 001E0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001E0B23

Strings

AutoIt, xrefs: 001E0B17
Error allocating memory., xrefs: 001E0B1C

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: c74ef873f4e0d04609b153fe6231b3651c0e8ba1e34342258b7537608eba3091
Instruction ID: 25097994f18ce62e2512420bf80f3ee03dcfb502b9f01b394ae05490114e360e
Opcode Fuzzy Hash: c74ef873f4e0d04609b153fe6231b3651c0e8ba1e34342258b7537608eba3091
Instruction Fuzzy Hash: C7E0D83528431837D21437947C03FC97AC49F26F20F20042AF788954C38BD224A006E9

Function 001A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0019F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001A0D71,?,?,?,0018100A), ref: 0019F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0018100A), ref: 001A0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0018100A), ref: 001A0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001A0D7F

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2bf75f20d9c7e9109b051145c5be69d05b8a64e8f52b65f6854ad0dcc69c23fd
Instruction ID: 13236b64df556c197fd6eee0de881b25f3b3090e3ff3f2fdbf3b7898d515b6d6
Opcode Fuzzy Hash: 2bf75f20d9c7e9109b051145c5be69d05b8a64e8f52b65f6854ad0dcc69c23fd
Instruction Fuzzy Hash: 56E092782007018BD3719FF8E5083827BE0AF29780F00896DE896C6751DBF4E4888B91

Function 0019E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0019E3D5

Strings

8%%, xrefs: 0019E3CA
0%%, xrefs: 0019E3B5

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%%$8%%
API String ID: 1385522511-3448817212
Opcode ID: 1a64c023a978ec8075bd2ac067a42d9211d40583e6d1f4efee73f145acc76fdf
Instruction ID: fe2e9fe55c2f5ba70678d855d8265024ed3195dde859e50f41574f4a3f4627c9
Opcode Fuzzy Hash: 1a64c023a978ec8075bd2ac067a42d9211d40583e6d1f4efee73f145acc76fdf
Instruction Fuzzy Hash: E5E08635434B10CBCE0DDF18FA59A983395FB3B321B911169E5128B1D1BB316989865D

Function 001F3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001F302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001F3044

Strings

aut, xrefs: 001F3038

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 792370455209c0a8a7126c13ae87da06919120097a649cd0b2312782618fc97b
Instruction ID: cb9444f3c8ec030962250fec8ce7f11ca8a948da5447588fe088bb4d067c6162
Opcode Fuzzy Hash: 792370455209c0a8a7126c13ae87da06919120097a649cd0b2312782618fc97b
Instruction Fuzzy Hash: F9D05EB654032867DA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E2091DEF09984CAD0

Function 001DD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001DD220

Strings

%.3d, xrefs: 001DD22B
X64, xrefs: 001DD2A8

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 0b88279c70fc5a1e3d2c46249215503bc18c46fc10cc663af2eb6b608330e302
Instruction ID: 3bbee54275e67ac1b4babf491bc15a6b9d89377e663a576b7bba5f635c2ebbd1
Opcode Fuzzy Hash: 0b88279c70fc5a1e3d2c46249215503bc18c46fc10cc663af2eb6b608330e302
Instruction Fuzzy Hash: D3D012A5848108FACF589AD0EC498FAB37CAB28341F618453FC06D1140D734C5096761

Function 00212322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0021232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0021233F

Part of subcall function 001EE97B: Sleep.KERNEL32 ref: 001EE9F3

Strings

Shell_TrayWnd, xrefs: 00212325

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 15a195ebc6957936d2533bdfd8c7ae9d7bfecaa6acae0c8e5850965955037c45
Instruction ID: baeef4556fdad8d20d9829f3c1d9263330f569e72fe46ed5167cec1c85200c23
Opcode Fuzzy Hash: 15a195ebc6957936d2533bdfd8c7ae9d7bfecaa6acae0c8e5850965955037c45
Instruction Fuzzy Hash: C4D0223A3D0340BBE26CB770EC0FFCABA489B20B00F2089027305AA0D0CDF0A800CB00

Function 00212356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0021236C
PostMessageW.USER32(00000000), ref: 00212373

Part of subcall function 001EE97B: Sleep.KERNEL32 ref: 001EE9F3

Strings

Shell_TrayWnd, xrefs: 00212365

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3938f8d426ef5182c1f4e9b5bc5398f37347c7777902e5c3a5b878563d7880c2
Instruction ID: 2d2eb0fa7ced52cbce2d3f792fed6549575747efd896568ea69a908aae3165e8
Opcode Fuzzy Hash: 3938f8d426ef5182c1f4e9b5bc5398f37347c7777902e5c3a5b878563d7880c2
Instruction Fuzzy Hash: 38D0A9363C03407AE268A770EC0FFCAA6489B21B00F2089027201AA0D0C9E0A800CA04

Function 001BBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 001BBE93
GetLastError.KERNEL32 ref: 001BBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001BBEFC

Memory Dump Source

Source File: 00000000.00000002.1816733589.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1816711693.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816807099.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816867638.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816895525.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: abd66eea018a010de5e1ac0d7307f2214d006ab59a73bf3d3f6ed7beb99b076c
Instruction ID: 063f2ea4e20864fb2fb06cdc1cc3cace8c74951699cba08f9759766b45c24ee4
Opcode Fuzzy Hash: abd66eea018a010de5e1ac0d7307f2214d006ab59a73bf3d3f6ed7beb99b076c
Instruction Fuzzy Hash: 3541F734608206AFCF258FA5CCC4AFA7BA5EF52310F25416DF959975A1DBB0CD01CB60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1915759808.0000027156B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908314700.0000027156B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1915759808.0000027156B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908314700.0000027156B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1951731033.0000027155CCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988167179.0000027155CCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1982071594.000002715F4B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974609414.000002715F4B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1937953789.000002715C8EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837975481.000002715C457000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938431488.000002715C457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1937953789.000002715C8EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837975481.000002715C457000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938431488.000002715C457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1951731033.0000027155CCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988167179.0000027155CCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988800786.0000027155AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1982071594.000002715F4B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974609414.000002715F4B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1937953789.000002715C8EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837975481.000002715C457000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938431488.000002715C457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1937953789.000002715C8EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837975481.000002715C457000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938431488.000002715C457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015133409.000001F082C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014524913.000002768870C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015133409.000001F082C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014524913.000002768870C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1981065685.0000027156496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3015133409.000001F082C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3014524913.000002768870C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1915759808.0000027156B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908314700.0000027156B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1968654416.000002715EA47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1950073171.0000027156715000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1987137030.000002715671A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1950073171.0000027156715000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1987137030.000002715671A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001208227.000002715671B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1968654416.000002715EA47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936164468.000002715EA47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1952081424.0000027155ADE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49864 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ba87280e-40a1-4d94-8670-38d6a937a716.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ba87280e-40a1-4d94-8670-38d6a937a716.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre