Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544951
MD5:	2b3523adfede40fcc0910d8d35a35cf0
SHA1:	2f173e05e9be665277f1aca6f90a9201bdc74e0d
SHA256:	8c97e550f34d883773a706c101849f2e9e2c2fe09f502bac023673eb03ffe098
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6288 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2B3523ADFEDE40FCC0910D8D35A35CF0)

taskkill.exe (PID: 6340 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6616 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6840 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7008 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5756 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 600 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7140 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5080 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6964 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e90625-3af1-419d-b329-d47348c99b65} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204cee70110 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7452 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -parentBuildID 20230927232528 -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe80c1c2-3d88-4182-86bc-9713acac0c0a} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204deae0510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7140 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5032 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 4912 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abcfe1b7-5ad9-4851-a943-b22c8fa72fb9} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204e772f910 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6288	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0087EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0087EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0087ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0087EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0086AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00899576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00899576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1737339872.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9abce481-8
Source: file.exe, 00000000.00000000.1737339872.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0ebd2f9c-6
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e9361c68-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3912df4a-d

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000017C4741A6B7 NtQuerySystemInformation,		16_2_0000017C4741A6B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000017C4743AAF2 NtQuerySystemInformation,		16_2_0000017C4743AAF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0086D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00861201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00861201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0086E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00872046	0_2_00872046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00808060	0_2_00808060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00868298	0_2_00868298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083E4FF	0_2_0083E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083676B	0_2_0083676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00894873	0_2_00894873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082CAA0	0_2_0082CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080CAF0	0_2_0080CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081CC39	0_2_0081CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00836DD9	0_2_00836DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008091C0	0_2_008091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081B119	0_2_0081B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821394	0_2_00821394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821706	0_2_00821706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082781B	0_2_0082781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008219B0	0_2_008219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00807920	0_2_00807920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081997D	0_2_0081997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00827A4A	0_2_00827A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00827CA7	0_2_00827CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821C77	0_2_00821C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00839EEE	0_2_00839EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088BE44	0_2_0088BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821F32	0_2_00821F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000017C4741A6B7	16_2_0000017C4741A6B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000017C4743AAF2	16_2_0000017C4743AAF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000017C4743B21C	16_2_0000017C4743B21C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000017C4743AB32	16_2_0000017C4743AB32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0081F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00820A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@33/36@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008737B5 GetLastError,FormatMessageW,

0_2_008737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008610BF AdjustTokenPrivileges,CloseHandle,		0_2_008610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0086D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0087648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1940923298.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961344454.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1940923298.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961344454.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1940923298.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961344454.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1940923298.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961344454.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1940923298.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961344454.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1940923298.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961344454.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1940923298.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961344454.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1940923298.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961344454.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1940923298.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961344454.00000204EADE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e90625-3af1-419d-b329-d47348c99b65} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204cee70110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -parentBuildID 20230927232528 -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe80c1c2-3d88-4182-86bc-9713acac0c0a} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204deae0510 rdd
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e90625-3af1-419d-b329-d47348c99b65} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204cee70110 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -parentBuildID 20230927232528 -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe80c1c2-3d88-4182-86bc-9713acac0c0a} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204deae0510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5032 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 4912 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abcfe1b7-5ad9-4851-a943-b22c8fa72fb9} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204e772f910 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1991040543.00000204E885F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1991040543.00000204E885F000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00820A76 push ecx; ret

0_2_00820A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0081F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00891C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00891C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96437

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000017C4741A6B7 rdtsc

16_2_0000017C4741A6B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Users\user\Desktop\file.exe TID: 6320	Thread sleep count: 103 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6320	Thread sleep count: 182 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0086DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008768EE FindFirstFileW,FindClose,	0_2_008768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0087698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0086D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0086D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00879642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00879642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0087979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00879B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00879B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00875C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00875C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Source: firefox.exe, 00000010.00000002.3000716047.0000017C46B8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW eIG\|
Source: firefox.exe, 00000010.00000002.3007367481.0000017C47490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: firefox.exe, 0000000F.00000002.3008526159.0000026FCC000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY[
Source: firefox.exe, 0000000F.00000002.3001564341.0000026FCBB9A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3008526159.0000026FCC000000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3001355752.0000026834C9A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3006361067.0000026835000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3007476937.0000026FCBF1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3008526159.0000026FCC000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzW
Source: firefox.exe, 0000000F.00000002.3008526159.0000026FCC000000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3007367481.0000017C47490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000017C4741A6B7 rdtsc

16_2_0000017C4741A6B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087EAA2 BlockInput,

0_2_0087EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00832622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00832622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00824CE8 mov eax, dword ptr fs:[00000030h]

0_2_00824CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00860B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00860B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00832622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00832622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0082083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008209D5 SetUnhandledExceptionFilter,	0_2_008209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00820C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00820C21

Source: C:\Users\user\Desktop\file.exe

0_2_00861201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00842BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00842BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086B226 SendInput,keybd_event,

0_2_0086B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00860B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00861663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00861663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1997201230.00000204E8803000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00820698 cpuid

0_2_00820698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00878195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00878195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085D27A GetUserNameW,

0_2_0085D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0083BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0083BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6288, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6288, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00881204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00881204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00881806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00881806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.1	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.184.238	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.181.238	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.65.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000D.00000003.2014631518.00000204DBE33000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1973885327.00000204E279B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1820104797.00000204E279D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974204110.00000204E24E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001562041.0000017C46EC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3002386355.0000026834EC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1911798391.00000204E7DF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885561992.00000204E7DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3003362232.0000026FCBECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001562041.0000017C46EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3006673998.0000026835103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1815920301.00000204E6D46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2007611732.00000204E6D41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816886314.00000204E6D41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896223300.00000204E6D41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3001562041.0000017C46E86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3002386355.0000026834E8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1967045477.00000204E72B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1969286864.00000204E7194000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1820104797.00000204E27E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1964912497.00000204E8013000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1781977186.00000204DEC77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781578924.00000204DEC5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781088376.00000204DEA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781244543.00000204DEC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781401554.00000204DEC3C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1966160123.00000204E7765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1935465364.00000204E7765000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1941140632.00000204EADB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961566853.00000204EADB3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1980891729.00000204E6C45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970815611.00000204E6C45000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1781977186.00000204DEC77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781578924.00000204DEC5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918573468.00000204E0157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781088376.00000204DEA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781244543.00000204DEC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781401554.00000204DEC3C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1975766645.00000204E224D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1781977186.00000204DEC77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781578924.00000204DEC5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781088376.00000204DEA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781244543.00000204DEC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781401554.00000204DEC3C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1975766645.00000204E224D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1986563102.00000204E11EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1967045477.00000204E72B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3003362232.0000026FCBECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001562041.0000017C46EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3006673998.0000026835103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1941140632.00000204EAD0B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1841118108.00000204E7C84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840428699.00000204E7C89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840802659.00000204E7C8B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1819838568.00000204E6E66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1969504842.00000204E716E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1969390668.00000204E7187000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3003362232.0000026FCBECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001562041.0000017C46EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3006673998.0000026835103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000D.00000003.1821632545.00000204DFAEC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1969504842.00000204E716E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001562041.0000017C46E0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3002386355.0000026834E0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1969286864.00000204E7194000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1961949998.00000204EAD3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941140632.00000204EAD0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1819838568.00000204E6E66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1820104797.00000204E279D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974204110.00000204E24E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001562041.0000017C46EC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3002386355.0000026834EC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1973177244.00000204E6B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015954288.00000204E6B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1950700449.00000204E0148000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1940081606.00000204EAE2F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1964912497.00000204E8013000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1980495609.00000204E6C86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972961287.00000204E6BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1820104797.00000204E279D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001562041.0000017C46E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3002386355.0000026834E13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1969286864.00000204E7194000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1932702381.00000204EA8DB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1980891729.00000204E6C45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970815611.00000204E6C45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1979086775.00000204E6E2E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015777196.00000204E6E30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1906268444.00000204E01C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1944313851.00000204DFE5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817036636.00000204E6DC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911312449.00000204DF6BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955449157.00000204DF7CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001398643.00000204DF6BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951094560.00000204DFEC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914004744.00000204E6DA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907868811.00000204E6DA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2012096877.00000204DEFEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841118108.00000204E7C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916768825.00000204E7C97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788040331.00000204DF7C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911312449.00000204DF6E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980275882.00000204E6CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788339932.00000204DF7C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816769707.00000204E6D9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906182620.00000204E78FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965904013.00000204E77A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928401688.00000204DEFDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1950700449.00000204E0139000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1975766645.00000204E224D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1984425430.00000204E20A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975766645.00000204E224D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1820104797.00000204E27E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973564979.00000204E27E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1821632545.00000204DFAEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1821632545.00000204DFAEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1979086775.00000204E6E2E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015777196.00000204E6E30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.2007611732.00000204E6D41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816886314.00000204E6D41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896223300.00000204E6D41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1968968959.00000204E719D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1785034635.00000204DD01D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1785292220.00000204DD033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784190993.00000204DD033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956173382.00000204DD039000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1965195444.00000204E7ED2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934197265.00000204E7EC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1975766645.00000204E225A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1785034635.00000204DD01D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1785292220.00000204DD033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784190993.00000204DD033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956173382.00000204DD039000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1961949998.00000204EAD3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941140632.00000204EAD0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3003362232.0000026FCBECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001562041.0000017C46EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3006673998.0000026835103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1969980206.00000204E6EA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1969286864.00000204E7194000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1781401554.00000204DEC3C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1932702381.00000204EA8DB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1781977186.00000204DEC77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781578924.00000204DEC5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918573468.00000204E0157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781088376.00000204DEA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781244543.00000204DEC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781401554.00000204DEC3C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1980891729.00000204E6C45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970815611.00000204E6C45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1967045477.00000204E72B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3002770012.0000026FCBD50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3005798251.0000017C47380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3005716176.0000026834F00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.1978912186.00000204E7188000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1969390668.00000204E7187000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1819838568.00000204E6E66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1969504842.00000204E716E000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.184.238	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544951
Start date and time:	2024-10-29 22:12:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@33/36@68/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 41 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 35.160.212.113, 52.11.191.138, 54.185.230.140, 2.22.61.56, 2.22.61.59, 142.250.185.238, 172.217.16.202, 142.250.185.234
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, e16604.g.akamaiedge.net, safebrowsing.googleapis.com, prod.fs.microsoft.com.akadns.net, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 5080 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
17:13:23	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFmiRUl-2BtxcZ73D3PC6s7dEdSEpNEVf7BmEr33HzpWyzDy2Qc_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZML5SAWON4OCquRGeOrZOG6X7bKIH2ouDi7O5ssZhkwdV9j8BuAetGO74HzivTb4yjw5AGX5ZMnsGYBS3vBuNNgFYRVSYVxc5dN7eCLDUr43XjgYUZE2GmJzXmN-2BelIHWKsvaOOIeqiW6cnMf2CI6MeEhodwtV2LpZJtWZhkGi5I2rlc08PnxbPlMsOj2Cr9oC-2BCWb9WuPqmZU8rqYD8CNL-2BgY3UElGOq-2BfG3NfYFdrc0Rb11eU0t5G2ihyqzzZVfI-3D#cHNjaG1pdHRAZ3Jpc3Qub3Jn	Get hash	malicious	Unknown	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	na.elf	Get hash	malicious	Mirai	Browse	34.66.240.23
	jew.mips.elf	Get hash	malicious	Mirai	Browse	34.118.114.104
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	belks.arm.elf	Get hash	malicious	Mirai	Browse	57.44.124.158
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	belks.sh4.elf	Get hash	malicious	Mirai	Browse	34.17.28.191
	belks.ppc.elf	Get hash	malicious	Mirai	Browse	57.43.170.29
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://dartergary.wordpress.com/	Get hash	malicious	HTMLPhisher	Browse	34.49.241.189
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	file.exe	Get hash	malicious	LummaC	Browse	185.199.109.133
	https://www.directo.com.bo/dok	Get hash	malicious	Unknown	Browse	151.101.129.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	Electronic_Receipt_ATT0001.htm	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://dartergary.wordpress.com/	Get hash	malicious	HTMLPhisher	Browse	151.101.2.92
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFmiRUl-2BtxcZ73D3PC6s7dEdSEpNEVf7BmEr33HzpWyzDy2Qc_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZML5SAWON4OCquRGeOrZOG6X7bKIH2ouDi7O5ssZhkwdV9j8BuAetGO74HzivTb4yjw5AGX5ZMnsGYBS3vBuNNgFYRVSYVxc5dN7eCLDUr43XjgYUZE2GmJzXmN-2BelIHWKsvaOOIeqiW6cnMf2CI6MeEhodwtV2LpZJtWZhkGi5I2rlc08PnxbPlMsOj2Cr9oC-2BCWb9WuPqmZU8rqYD8CNL-2BgY3UElGOq-2BfG3NfYFdrc0Rb11eU0t5G2ihyqzzZVfI-3D#cHNjaG1pdHRAZ3Jpc3Qub3Jn	Get hash	malicious	Unknown	Browse	151.101.129.140
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	belks.arm.elf	Get hash	malicious	Mirai	Browse	57.44.124.158
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	belks.sh4.elf	Get hash	malicious	Mirai	Browse	34.17.28.191
	belks.ppc.elf	Get hash	malicious	Mirai	Browse	57.43.170.29
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://dartergary.wordpress.com/	Get hash	malicious	HTMLPhisher	Browse	34.49.241.189
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_187fa713-2933-479c-817c-8d6638736cbe.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181210089380954
Encrypted:	false
SSDEEP:	192:ZjMXKU/cbhbVbTbfbRbObtbyEl7n0rBJA6WnSrDtTUd/SkDrj:ZYjcNhnzFSJUr8BnSrDhUd/x
MD5:	B7A35A470895C39C7641D5C65F7EFDFD
SHA1:	551960F97FB774C04AC07DE4C5DBA18D10C5E203
SHA-256:	0AC8D4C467D4DDB98587025DAA4B76B786B7B519DB8181B9E5CD9D9A626764DB
SHA-512:	7A5E08FAF34ABFE887CE2309D91D239020A87B7D2D49161FD6ED591DBD06C2F283C57C5EE391A9BD04560A3F90D20C9D4C1E7D9E2AFFF6CA64D2F71163CE8103
Malicious:	false
Preview:	{"type":"uninstall","id":"187fa713-2933-479c-817c-8d6638736cbe","creationDate":"2024-10-29T22:54:44.825Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_187fa713-2933-479c-817c-8d6638736cbe.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181210089380954
Encrypted:	false
SSDEEP:	192:ZjMXKU/cbhbVbTbfbRbObtbyEl7n0rBJA6WnSrDtTUd/SkDrj:ZYjcNhnzFSJUr8BnSrDhUd/x
MD5:	B7A35A470895C39C7641D5C65F7EFDFD
SHA1:	551960F97FB774C04AC07DE4C5DBA18D10C5E203
SHA-256:	0AC8D4C467D4DDB98587025DAA4B76B786B7B519DB8181B9E5CD9D9A626764DB
SHA-512:	7A5E08FAF34ABFE887CE2309D91D239020A87B7D2D49161FD6ED591DBD06C2F283C57C5EE391A9BD04560A3F90D20C9D4C1E7D9E2AFFF6CA64D2F71163CE8103
Malicious:	false
Preview:	{"type":"uninstall","id":"187fa713-2933-479c-817c-8d6638736cbe","creationDate":"2024-10-29T22:54:44.825Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928956977580472
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNh9M:8S+OfJQPUFpOdwNIOdYVjvYcXaNLO78P
MD5:	5298101F6C945EA2ACF03A51BF0F8021
SHA1:	927BC8CD49842795968A555001108F2D90039877
SHA-256:	3D9EC99EBF12D2388ACAB0EF414AE4CF07D476AE3CD376E1707A76278709170F
SHA-512:	B03550D2FBEA4A284DFECE7221443B6B47AD57C515E9981B7E77CAFDC98A262FA48400B6253891096630A5BD1CF9A510FD472B2E434A51971AC170D7D4B12684
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928956977580472
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNh9M:8S+OfJQPUFpOdwNIOdYVjvYcXaNLO78P
MD5:	5298101F6C945EA2ACF03A51BF0F8021
SHA1:	927BC8CD49842795968A555001108F2D90039877
SHA-256:	3D9EC99EBF12D2388ACAB0EF414AE4CF07D476AE3CD376E1707A76278709170F
SHA-512:	B03550D2FBEA4A284DFECE7221443B6B47AD57C515E9981B7E77CAFDC98A262FA48400B6253891096630A5BD1CF9A510FD472B2E434A51971AC170D7D4B12684
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07325690172395351
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiV:DLhesh7Owd4+jiV
MD5:	606432482506995DE431DEB7DF65F917
SHA1:	6C2E21389411D0422851BE873679D27F55F6D28C
SHA-256:	61E199784E7469C7338FE51B71FAD0DCCD1195475F6A30F94518BCEADB725D14
SHA-512:	66A82B799BC982F2B75E424346536B0BE9FF77E32358866353C437006D19EF0BE017C8A488CEFEB33227D218839A7B74EDC08E7DE7FBDC3E81ADEE9B3A4968A1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFkfUiRSWFZdlY/tlstFkfUiRSWFZd/tJ89//alEl:GtWtmfU4SWjQtWtmfU4SWjXJ89XuM
MD5:	AD7D9AEF948308414A16B4C84D39D1F9
SHA1:	B8D9BF3F3267A2DB82B264EECEE0D6D3B6AC1C15
SHA-256:	E93025A135FA141FED994854A6FAEF14AE927965D0CC63BC1FF693C35A8A1E84
SHA-512:	139F87975041E8C6F41B59F1196E948AB08309F81A402C871B855E6D829A1E1CB1AD9AAC3B8A98A7A9982C628C8FCFEEABDE1E1F425DE98118A3F4816C81B23B
Malicious:	false
Preview:	..-......................3.3Or.G$]9z...2.@i/.\|qa..-......................3.3Or.G$]9z...2.@i/.\|qa........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03941935905130798
Encrypted:	false
SSDEEP:	3:Ol17Toe91qfB5L2Q3kliwl8rEXsxdwhml8XW3R2:K2i1K5L2Q8l8dMhm93w
MD5:	AAD38E9F6C375E06934C8A4D230C5DC9
SHA1:	8B82258AAAA34B7C5CBD6895938E23E346A793E5
SHA-256:	19EAA258CCC5E0EC70DF67789A0186A76B8F7CFAA0719A69EF753EFDB6E9268F
SHA-512:	18531A1967F16BBC5745C44A3EB34ED2B95DACE42A28C73B56B213CF361228519B8E311FFC3DA7C24B5A860E30B56B9E0D7A92D5569328A62C80736D45F39E3A
Malicious:	false
Preview:	7....-..........$]9z...2P.`7;.@.........$]9z...23.3.G.rO................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495397900132423
Encrypted:	false
SSDEEP:	192:knaRtLYbBp63hj4qyaaXv6KHRNmW5RfGNBw8dJSl:5e1qh0bdcwW0
MD5:	78348BE247270ADB91A68FDEFAA07870
SHA1:	864D3F58AE47A73BE376189139FA639A65FC15D1
SHA-256:	A57C9837A75999A5B35287A5A9FB36C1E45A893B8178DDAD3C12F520FC99E28C
SHA-512:	2740F088DB13C5940DD6EBEF707C5B164074D770961EC10AE1F8F9EBC62AEB482593ECF6C9703560E6160FAB9F01794F09F1114F56FF02C402D6EE736913F240
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730242455);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730242455);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730242455);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173024

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495397900132423
Encrypted:	false
SSDEEP:	192:knaRtLYbBp63hj4qyaaXv6KHRNmW5RfGNBw8dJSl:5e1qh0bdcwW0
MD5:	78348BE247270ADB91A68FDEFAA07870
SHA1:	864D3F58AE47A73BE376189139FA639A65FC15D1
SHA-256:	A57C9837A75999A5B35287A5A9FB36C1E45A893B8178DDAD3C12F520FC99E28C
SHA-512:	2740F088DB13C5940DD6EBEF707C5B164074D770961EC10AE1F8F9EBC62AEB482593ECF6C9703560E6160FAB9F01794F09F1114F56FF02C402D6EE736913F240
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730242455);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730242455);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730242455);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173024

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\855e56fc-7f27-478d-8b5e-749c1dd8bb18 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.9803393978243315
Encrypted:	false
SSDEEP:	12:YZFgnJS1IVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YOU1SlCOlZGV1AQIWZcy6Z2d
MD5:	EC9D69E473C7ECB937C8D6910388D370
SHA1:	7D74943F690163BB647C187956B4E51F2E32B925
SHA-256:	97AB8D4F6598DF767F4D8A7454FE92C181B620D724475BA195B6D8F01B9786AE
SHA-512:	9975AC6C1340C0D2AE0442566C640C94B3241295A2C6ECBEC273FBF595E0840C79C57486A3F1501B28FCE4800D38D0BB2F9C9B37FAD23738F1C03218A28EE70F
Malicious:	false
Preview:	{"type":"health","id":"855e56fc-7f27-478d-8b5e-749c1dd8bb18","creationDate":"2024-10-29T22:54:45.465Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\855e56fc-7f27-478d-8b5e-749c1dd8bb18.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.9803393978243315
Encrypted:	false
SSDEEP:	12:YZFgnJS1IVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YOU1SlCOlZGV1AQIWZcy6Z2d
MD5:	EC9D69E473C7ECB937C8D6910388D370
SHA1:	7D74943F690163BB647C187956B4E51F2E32B925
SHA-256:	97AB8D4F6598DF767F4D8A7454FE92C181B620D724475BA195B6D8F01B9786AE
SHA-512:	9975AC6C1340C0D2AE0442566C640C94B3241295A2C6ECBEC273FBF595E0840C79C57486A3F1501B28FCE4800D38D0BB2F9C9B37FAD23738F1C03218A28EE70F
Malicious:	false
Preview:	{"type":"health","id":"855e56fc-7f27-478d-8b5e-749c1dd8bb18","creationDate":"2024-10-29T22:54:45.465Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.332293829386337
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSgLXnIgc/pnxQwRlszT5sKt0M9U3eHVQj6TLramhujJlOsIomNVryM:GUpOx1snR6pU3eHTLr4JlIUNR4
MD5:	46B06B88EF80CC22A479053FF700BD74
SHA1:	96DC54E550E90E5747B2AC9DBC78C10F9C3A8E52
SHA-256:	1E5D7FB7FF9A4EE5E45390301A5D6F7133ECE08C4233B4540D52884174305DC3
SHA-512:	2A0156273AA15791D3483EBC5DB062924BADF5A40634F35940C68DF671154640DB012CE2219745D285438587B00E112E2AEEF8DAD21AFA4F312C693D9538855A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6ea32f70-35c0-4c88-a18e-5c9cb0afd85c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730242474980,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..A2464...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...34765,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.332293829386337
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSgLXnIgc/pnxQwRlszT5sKt0M9U3eHVQj6TLramhujJlOsIomNVryM:GUpOx1snR6pU3eHTLr4JlIUNR4
MD5:	46B06B88EF80CC22A479053FF700BD74
SHA1:	96DC54E550E90E5747B2AC9DBC78C10F9C3A8E52
SHA-256:	1E5D7FB7FF9A4EE5E45390301A5D6F7133ECE08C4233B4540D52884174305DC3
SHA-512:	2A0156273AA15791D3483EBC5DB062924BADF5A40634F35940C68DF671154640DB012CE2219745D285438587B00E112E2AEEF8DAD21AFA4F312C693D9538855A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6ea32f70-35c0-4c88-a18e-5c9cb0afd85c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730242474980,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..A2464...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...34765,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.332293829386337
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSgLXnIgc/pnxQwRlszT5sKt0M9U3eHVQj6TLramhujJlOsIomNVryM:GUpOx1snR6pU3eHTLr4JlIUNR4
MD5:	46B06B88EF80CC22A479053FF700BD74
SHA1:	96DC54E550E90E5747B2AC9DBC78C10F9C3A8E52
SHA-256:	1E5D7FB7FF9A4EE5E45390301A5D6F7133ECE08C4233B4540D52884174305DC3
SHA-512:	2A0156273AA15791D3483EBC5DB062924BADF5A40634F35940C68DF671154640DB012CE2219745D285438587B00E112E2AEEF8DAD21AFA4F312C693D9538855A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6ea32f70-35c0-4c88-a18e-5c9cb0afd85c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730242474980,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..A2464...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...34765,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033211204709442
Encrypted:	false
SSDEEP:	48:YrSAYP6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycPyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	BC14C583656C44A05BDB4271FB00C6DB
SHA1:	D4460ECB500A31278FD751C33D9FFF542A4D5E89
SHA-256:	B22B656BA6B2A5AFF49FE8CE3A903E5912D05E5C4072CEA633616ED6ECD32528
SHA-512:	94DF13FF3951224C96D95B8DA7CF840E1BDFA2730F7508BECF35CCE6D22292C3188DAE3BDB35C0106FA1A431448C06326424E0DED60E9994DCBDBA49EC6D7425
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T22:54:02.263Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033211204709442
Encrypted:	false
SSDEEP:	48:YrSAYP6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycPyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	BC14C583656C44A05BDB4271FB00C6DB
SHA1:	D4460ECB500A31278FD751C33D9FFF542A4D5E89
SHA-256:	B22B656BA6B2A5AFF49FE8CE3A903E5912D05E5C4072CEA633616ED6ECD32528
SHA-512:	94DF13FF3951224C96D95B8DA7CF840E1BDFA2730F7508BECF35CCE6D22292C3188DAE3BDB35C0106FA1A431448C06326424E0DED60E9994DCBDBA49EC6D7425
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T22:54:02.263Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584644351334913
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	2b3523adfede40fcc0910d8d35a35cf0
SHA1:	2f173e05e9be665277f1aca6f90a9201bdc74e0d
SHA256:	8c97e550f34d883773a706c101849f2e9e2c2fe09f502bac023673eb03ffe098
SHA512:	93cf7836b4f51a09dc2193eebb33c29ce613d517f47124be22c46803a2aa59365e3d2fdde8900d0660a890e0aeea22bb714343c961ed89f50857988a202b5b85
SSDEEP:	12288:3qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T4:3qDEvCTbMWu7rQYlBQcBiT6rprG8ab4
TLSH:	5F159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67214BF0 [Tue Oct 29 20:56:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F4B58ED30C3h
jmp 00007F4B58ED29CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4B58ED2BADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4B58ED2B7Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F4B58ED576Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F4B58ED57B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F4B58ED57A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	4667445711c48a8dbb6ff54c944850e4	False	0.31561511075949367	data	5.373106086662922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 22:13:15.303406000 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:15.303450108 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:15.311275959 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:15.316050053 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:15.316063881 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:15.923113108 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:15.923130035 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:15.927875042 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:15.935506105 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:15.935517073 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:15.935627937 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:15.935710907 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:15.936953068 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:17.332684994 CET	49738	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:17.332736015 CET	443	49738	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:17.333188057 CET	49738	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:17.334700108 CET	49738	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:17.334712982 CET	443	49738	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:17.682522058 CET	49739	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:17.682563066 CET	443	49739	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:17.692167997 CET	49739	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:17.693882942 CET	49739	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:17.693900108 CET	443	49739	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:17.710164070 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:17.715764999 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:17.715825081 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:17.715981007 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:17.721971035 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:17.940220118 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:17.940262079 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:17.943250895 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:17.944706917 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:17.944720984 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:17.951867104 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:17.951924086 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:17.955310106 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:17.956774950 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:17.956818104 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:17.958261967 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:17.958291054 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:17.958786011 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:17.958914995 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:17.958930016 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:18.200644016 CET	443	49738	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:18.200788975 CET	49738	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:18.201420069 CET	443	49738	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:18.201478958 CET	49738	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:18.324840069 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:18.334351063 CET	49738	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:18.334369898 CET	443	49738	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:18.334450960 CET	49738	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:18.334671021 CET	443	49738	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:18.334851980 CET	49738	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:18.372006893 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:18.378115892 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:18.385104895 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:18.385201931 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:18.385312080 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:18.390897036 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:18.561386108 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:18.562021971 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.566342115 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.566354036 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:18.566468000 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.566509008 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:18.566809893 CET	49745	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.566852093 CET	443	49745	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:18.566962004 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.566987038 CET	49745	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.568290949 CET	49745	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.568300962 CET	443	49745	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:18.568356991 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:18.568749905 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.571089029 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:18.572510958 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.572510958 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.572542906 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:18.572598934 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:18.572711945 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:18.574856997 CET	443	49739	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:18.574872017 CET	443	49739	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:18.575347900 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:18.575381994 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:18.575541973 CET	443	49739	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:18.575601101 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:18.575774908 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.575809002 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:18.575896978 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.576071024 CET	49739	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:18.576107025 CET	443	49739	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:18.578001976 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.580646992 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:18.580658913 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:18.580841064 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:18.581139088 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:18.581238985 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:18.581609964 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:18.583612919 CET	49739	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:18.583655119 CET	443	49739	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:18.583707094 CET	49739	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:18.583786011 CET	443	49739	142.250.184.238	192.168.2.4
Oct 29, 2024 22:13:18.583837986 CET	49739	443	192.168.2.4	142.250.184.238
Oct 29, 2024 22:13:18.696010113 CET	49748	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:18.696038008 CET	443	49748	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:18.696317911 CET	49748	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:18.696423054 CET	49748	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:18.696436882 CET	443	49748	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:18.699170113 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:18.704891920 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:18.705080032 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:18.715555906 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:18.721138954 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:18.722141981 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:18.722285032 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:18.727782011 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:18.981986046 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:18.990078926 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:18.996150970 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:19.011538982 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:19.167984962 CET	443	49745	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:19.171385050 CET	49745	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.217153072 CET	49745	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.217180967 CET	443	49745	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:19.217217922 CET	49745	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.217361927 CET	443	49745	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:19.229243994 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:19.231926918 CET	49745	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.232573032 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.240475893 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.240499020 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:19.240570068 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.240701914 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:19.240783930 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.318829060 CET	443	49748	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:19.318914890 CET	49748	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.322686911 CET	49748	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.322699070 CET	443	49748	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:19.322964907 CET	443	49748	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:19.325582027 CET	49748	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.325705051 CET	49748	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.325763941 CET	443	49748	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:19.326088905 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.326129913 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:19.326139927 CET	49748	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.326457024 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.326546907 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.326556921 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:19.336874008 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:19.388242960 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:19.915756941 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.915826082 CET	443	49752	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:19.920989037 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.922930002 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:19.922945976 CET	443	49752	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:19.937082052 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:19.938299894 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.941124916 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.941135883 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:19.941375017 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:19.944135904 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.944202900 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:19.944297075 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 22:13:19.944348097 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 22:13:20.086971998 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:20.092386961 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:20.100568056 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:20.100672960 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:20.106657028 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:20.212815046 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:20.218708992 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:20.339437008 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:20.391135931 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:20.532937050 CET	443	49752	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:20.533102989 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:20.541903973 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:20.541915894 CET	443	49752	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:20.542038918 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:20.542093992 CET	443	49752	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:20.542408943 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:20.542440891 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:20.542469978 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:20.542589903 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:20.543967962 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:20.543978930 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:20.706851006 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:20.754514933 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:20.841059923 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:20.846803904 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:20.978498936 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:21.024111986 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:21.158056021 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:21.158140898 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:21.163516998 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:21.163527966 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:21.163602114 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:21.163703918 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 22:13:21.163763046 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 22:13:24.005816936 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:24.012926102 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:24.133351088 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:24.166938066 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:24.166980028 CET	443	49756	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:24.169590950 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:24.171160936 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:24.171175957 CET	443	49756	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:24.194962025 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:24.795397997 CET	443	49756	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:24.795547009 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:24.799957037 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:24.799968004 CET	443	49756	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:24.800034046 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:24.800122023 CET	443	49756	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:24.800226927 CET	49756	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:28.246773005 CET	49759	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:28.246793985 CET	443	49759	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:28.247008085 CET	49759	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:28.247231960 CET	49759	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:28.247245073 CET	443	49759	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:28.869009018 CET	443	49759	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:28.869124889 CET	49759	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:28.872029066 CET	49759	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:28.872036934 CET	443	49759	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:28.872273922 CET	443	49759	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:28.874531984 CET	49759	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:28.874578953 CET	49759	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:28.874664068 CET	443	49759	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:28.875006914 CET	49759	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:29.060430050 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:29.066005945 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:29.070730925 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:29.070770025 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:29.070955992 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:29.072279930 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:29.072298050 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:29.188456059 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:29.242911100 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:29.686506033 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:29.687957048 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:29.731915951 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:29.731937885 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:29.732008934 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:29.732181072 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:29.741440058 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:29.742738962 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:29.747031927 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:29.866815090 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:29.907135010 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:30.374454975 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:30.374502897 CET	443	49764	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:30.375828028 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:30.377296925 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:30.377320051 CET	443	49764	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:30.380023956 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:30.385690928 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:30.556818008 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:30.609272003 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:30.794543982 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:30.794583082 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:30.794647932 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:30.810616016 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:30.810635090 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:31.054162979 CET	443	49764	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:31.054246902 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:31.058384895 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:31.058398008 CET	443	49764	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:31.058484077 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:31.058564901 CET	443	49764	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:31.058621883 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:31.288064003 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:31.289768934 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:31.289798021 CET	443	49767	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:31.292311907 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:31.293772936 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:31.293786049 CET	443	49767	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:31.296019077 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:31.416743040 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:31.427424908 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:31.427498102 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:31.464421988 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:31.506066084 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:31.506094933 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:31.506205082 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:31.506361961 CET	443	49765	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:31.506416082 CET	49765	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:31.506572962 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:31.506592989 CET	443	49768	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:31.506659985 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:31.508027077 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:31.508038998 CET	443	49768	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:31.573097944 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:31.645899057 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:31.956809998 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:31.960004091 CET	443	49767	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:31.960088015 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:31.997145891 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:32.000227928 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:32.000549078 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:32.000575066 CET	443	49767	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:32.000626087 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:32.000780106 CET	443	49767	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:32.000806093 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:32.000857115 CET	49767	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:32.011826992 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:32.017457008 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:32.137223005 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:32.182094097 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:32.249815941 CET	443	49768	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:32.249900103 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:33.823177099 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:33.825925112 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:33.825946093 CET	443	49768	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:33.825992107 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:33.826231003 CET	443	49768	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:33.826834917 CET	49768	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:33.828754902 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:33.950434923 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:34.002948999 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:34.952222109 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:34.957814932 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:34.959564924 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:34.959605932 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:34.969800949 CET	49770	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:34.969813108 CET	443	49770	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:34.970128059 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:34.970397949 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:34.970397949 CET	49770	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:34.970408916 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:34.972362995 CET	49770	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:34.972376108 CET	443	49770	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:35.015439034 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.015469074 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.019149065 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.020031929 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.020042896 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.027781010 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.027826071 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.036185980 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.038352966 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.038384914 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.078502893 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:35.087420940 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:35.094127893 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:35.138405085 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:35.216517925 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:35.270608902 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:35.572603941 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.572622061 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.572700024 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.577044010 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.577052116 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.577274084 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.588862896 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.589011908 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.589014053 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.589024067 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.591466904 CET	443	49770	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:35.591984034 CET	49770	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:35.594494104 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:35.598448992 CET	49770	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:35.598455906 CET	443	49770	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:35.598581076 CET	49770	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:35.598634005 CET	443	49770	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:35.598715067 CET	49770	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:35.599951029 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:35.620223999 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.620352030 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.624243021 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.624248981 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.624480009 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.628362894 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.628493071 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.628509998 CET	443	49771	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.628990889 CET	49771	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.646094084 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.646111965 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.646290064 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.652183056 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.652230024 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.652280092 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.652410030 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.652806044 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.658231020 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.658269882 CET	443	49773	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.658838034 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.660923004 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.660933971 CET	443	49773	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.719569921 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:35.723591089 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:35.729032040 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:35.772121906 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:35.803337097 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:35.805150032 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:35.861164093 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:35.903614044 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:36.265213966 CET	443	49773	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:36.265290976 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:36.270910978 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:36.270916939 CET	443	49773	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:36.271038055 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:36.271081924 CET	443	49773	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:36.271143913 CET	49773	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:37.905143023 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:37.910541058 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:37.911089897 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:37.911140919 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:37.911341906 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:37.912678957 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:37.912692070 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:38.031203985 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:38.034559011 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:38.040117979 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:38.078685999 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:38.161870956 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:38.210213900 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:38.512592077 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:38.512691975 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:38.518935919 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:38.518955946 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:38.519085884 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:38.519181967 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 22:13:38.521368980 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:13:38.522838116 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:38.528295040 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:38.648093939 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:38.651065111 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:38.657098055 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:38.696058989 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:38.780415058 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:38.827717066 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:43.968699932 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:43.968750000 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:43.974335909 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:43.974481106 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:43.974493027 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:43.993406057 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:43.993457079 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:43.993586063 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:43.993694067 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:43.993706942 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:43.999182940 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 22:13:43.999213934 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 22:13:43.999610901 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 22:13:43.999733925 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 22:13:43.999748945 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 22:13:44.014592886 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:44.014622927 CET	443	49778	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:44.018270969 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:44.019706011 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:44.019718885 CET	443	49778	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:44.032572985 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 22:13:44.032586098 CET	443	49779	35.201.103.21	192.168.2.4
Oct 29, 2024 22:13:44.033433914 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 22:13:44.035104990 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 22:13:44.035115957 CET	443	49779	35.201.103.21	192.168.2.4
Oct 29, 2024 22:13:44.609085083 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:44.609291077 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:44.612381935 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:44.612394094 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:44.612596035 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:44.615042925 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:44.615171909 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:44.615175009 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:44.615184069 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:44.616583109 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 22:13:44.619328976 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 22:13:44.621115923 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 22:13:44.621131897 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 22:13:44.621275902 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:44.621345043 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 22:13:44.623840094 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 22:13:44.623989105 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 22:13:44.624044895 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 22:13:44.624053955 CET	443	49777	151.101.129.91	192.168.2.4
Oct 29, 2024 22:13:44.624151945 CET	49777	443	192.168.2.4	151.101.129.91
Oct 29, 2024 22:13:44.626724958 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:44.631644964 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.631678104 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:44.632019997 CET	443	49778	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:44.632220030 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.632359982 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:44.635045052 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.635056019 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:44.636254072 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.636286974 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:44.636395931 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.636405945 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:44.636790991 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.636837006 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.637212038 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.637221098 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:44.637341976 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.637357950 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:44.638884068 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:44.638894081 CET	443	49778	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:44.638941050 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:44.639096975 CET	443	49778	35.190.72.216	192.168.2.4
Oct 29, 2024 22:13:44.639525890 CET	49778	443	192.168.2.4	35.190.72.216
Oct 29, 2024 22:13:44.648293972 CET	443	49779	35.201.103.21	192.168.2.4
Oct 29, 2024 22:13:44.648384094 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 22:13:44.652956963 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 22:13:44.652970076 CET	443	49779	35.201.103.21	192.168.2.4
Oct 29, 2024 22:13:44.653074026 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 22:13:44.653165102 CET	443	49779	35.201.103.21	192.168.2.4
Oct 29, 2024 22:13:44.654854059 CET	49779	443	192.168.2.4	35.201.103.21
Oct 29, 2024 22:13:44.664120913 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:44.664155006 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:44.664336920 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:44.664414883 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:44.664423943 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:44.747497082 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:44.750567913 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:44.756162882 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:44.798455000 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:44.823328972 CET	443	49776	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:44.823467016 CET	49776	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:44.878680944 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:44.930031061 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:44.942826986 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:44.942914963 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.946047068 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.946057081 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:44.946279049 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:44.948065042 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.948153019 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.948205948 CET	443	49775	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:44.948331118 CET	49775	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:44.951230049 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:44.956696987 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:45.075938940 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:45.078849077 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:45.084296942 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:45.130563021 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:45.205964088 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:45.240066051 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.240154028 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.242599964 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.242609978 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.242969036 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.245109081 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.245194912 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.245361090 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.245471954 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.246480942 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:45.248512983 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:45.250256062 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.250371933 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.252655983 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.252661943 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.252871037 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.254128933 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:45.255136967 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.255213976 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.255276918 CET	443	49782	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.255347013 CET	49782	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.276451111 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.276611090 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.279109955 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.279122114 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.279357910 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.280107975 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:45.280199051 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:45.282675982 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:45.282686949 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:45.283185005 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:45.284734964 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.284810066 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.284893036 CET	443	49781	35.244.181.201	192.168.2.4
Oct 29, 2024 22:13:45.285590887 CET	49781	443	192.168.2.4	35.244.181.201
Oct 29, 2024 22:13:45.286572933 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:45.286655903 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:45.286788940 CET	443	49783	34.149.100.209	192.168.2.4
Oct 29, 2024 22:13:45.287333012 CET	49783	443	192.168.2.4	34.149.100.209
Oct 29, 2024 22:13:45.373512983 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:45.376236916 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:45.382038116 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:45.415796995 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:45.504854918 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:45.547331095 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:45.605951071 CET	49785	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:45.605978966 CET	443	49785	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:45.607043028 CET	49785	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:45.608298063 CET	49785	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:45.608318090 CET	443	49785	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:46.237406969 CET	443	49785	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:46.237519026 CET	49785	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:46.242475033 CET	49785	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:46.242486000 CET	443	49785	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:46.242568016 CET	49785	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:46.242706060 CET	443	49785	34.107.243.93	192.168.2.4
Oct 29, 2024 22:13:46.243221045 CET	49785	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:13:46.245393038 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:46.250972033 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:46.390552998 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:46.393452883 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:46.399240017 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:46.434734106 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:46.526299953 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:46.565808058 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:51.506815910 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:51.512990952 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:51.637164116 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:51.640640020 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:51.646620035 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:51.684763908 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:13:51.771903038 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:13:51.816294909 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:01.644440889 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:01.649972916 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:01.782694101 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:01.788227081 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:06.518027067 CET	49804	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:06.518070936 CET	443	49804	34.107.243.93	192.168.2.4
Oct 29, 2024 22:14:06.518158913 CET	49804	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:06.519418955 CET	49804	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:06.519443035 CET	443	49804	34.107.243.93	192.168.2.4
Oct 29, 2024 22:14:07.141828060 CET	443	49804	34.107.243.93	192.168.2.4
Oct 29, 2024 22:14:07.141910076 CET	49804	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:07.149457932 CET	49804	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:07.149496078 CET	443	49804	34.107.243.93	192.168.2.4
Oct 29, 2024 22:14:07.149569035 CET	49804	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:07.149671078 CET	443	49804	34.107.243.93	192.168.2.4
Oct 29, 2024 22:14:07.150909901 CET	49804	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:07.152641058 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:07.158186913 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:07.279198885 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:07.282607079 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:07.288028002 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:07.329691887 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:07.413830996 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:07.461199999 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:14.123435974 CET	49845	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.123527050 CET	49846	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.123547077 CET	443	49845	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.123578072 CET	443	49846	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.123626947 CET	49847	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.123665094 CET	443	49847	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.123718977 CET	49846	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.123722076 CET	49845	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.123835087 CET	49845	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.123872042 CET	443	49845	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.123908997 CET	49846	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.123922110 CET	443	49846	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.123974085 CET	49847	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.124041080 CET	49847	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.124054909 CET	443	49847	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.732494116 CET	443	49845	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.732573986 CET	49845	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.735364914 CET	49845	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.735389948 CET	443	49845	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.735631943 CET	443	49845	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.737924099 CET	443	49846	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.738323927 CET	49845	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.738404989 CET	49845	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.738475084 CET	443	49845	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.739912033 CET	49845	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.739929914 CET	49846	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.743026018 CET	49846	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.743040085 CET	443	49846	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.743379116 CET	443	49847	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.743788004 CET	443	49846	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.744951963 CET	49847	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.748469114 CET	49847	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.748487949 CET	443	49847	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.749408007 CET	443	49847	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.750144005 CET	49846	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.750406981 CET	49846	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.750446081 CET	443	49846	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.750510931 CET	49846	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.751852036 CET	49847	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.751929045 CET	49847	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.752361059 CET	443	49847	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.752660990 CET	49847	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.803261995 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:14.805221081 CET	49853	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.805270910 CET	443	49853	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.805838108 CET	49853	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.805947065 CET	49853	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.805963039 CET	443	49853	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.808655024 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:14.817241907 CET	49854	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.817265987 CET	443	49854	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.817487955 CET	49855	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.817497015 CET	443	49855	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.817970991 CET	49854	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.818103075 CET	49854	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.818104029 CET	49855	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.818115950 CET	443	49854	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.818192005 CET	49855	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.818197012 CET	443	49855	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.846609116 CET	49856	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.846621990 CET	443	49856	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.847549915 CET	49856	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.847677946 CET	49856	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:14.847688913 CET	443	49856	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:14.928308010 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:14.971955061 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:14.977453947 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:14.988816023 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:15.099267006 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:15.142529011 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:15.414625883 CET	443	49853	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.414752960 CET	49853	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.417655945 CET	49853	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.417686939 CET	443	49853	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.418029070 CET	443	49853	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.419701099 CET	49853	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.419806004 CET	49853	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.419894934 CET	443	49853	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.419954062 CET	49853	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.419954062 CET	49853	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.421041965 CET	443	49855	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.422413111 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:15.424256086 CET	49855	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.427351952 CET	49855	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.427365065 CET	443	49855	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.427618027 CET	443	49855	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.427769899 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:15.432463884 CET	49855	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.432543039 CET	49855	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.432645082 CET	443	49855	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.433433056 CET	49855	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.436425924 CET	443	49854	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.436564922 CET	49854	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.439512968 CET	49854	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.439524889 CET	443	49854	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.440268993 CET	443	49854	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.442002058 CET	49854	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.442090034 CET	49854	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.476295948 CET	443	49856	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.482656956 CET	49856	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.487505913 CET	49856	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.487541914 CET	443	49856	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.487775087 CET	443	49856	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.489630938 CET	49856	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.489741087 CET	49856	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.489787102 CET	443	49856	34.120.208.123	192.168.2.4
Oct 29, 2024 22:14:15.489897966 CET	49856	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.489897966 CET	49856	443	192.168.2.4	34.120.208.123
Oct 29, 2024 22:14:15.547265053 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:15.549993992 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:15.555382013 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:15.598551989 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:15.677680016 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:15.730046034 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:25.559146881 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:25.564615965 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:25.690700054 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:25.696120977 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:35.571444988 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:35.576966047 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:35.703028917 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:35.708472967 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:45.585421085 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:45.591033936 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:45.716953039 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:45.722646952 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:47.389702082 CET	50030	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:47.389755011 CET	443	50030	34.107.243.93	192.168.2.4
Oct 29, 2024 22:14:47.389899015 CET	50030	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:47.391432047 CET	50030	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:47.391444921 CET	443	50030	34.107.243.93	192.168.2.4
Oct 29, 2024 22:14:47.994757891 CET	443	50030	34.107.243.93	192.168.2.4
Oct 29, 2024 22:14:47.994856119 CET	50030	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:48.002140999 CET	50030	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:48.002168894 CET	443	50030	34.107.243.93	192.168.2.4
Oct 29, 2024 22:14:48.002341032 CET	50030	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:48.002449989 CET	443	50030	34.107.243.93	192.168.2.4
Oct 29, 2024 22:14:48.003220081 CET	50030	443	192.168.2.4	34.107.243.93
Oct 29, 2024 22:14:48.005633116 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:48.010986090 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:48.131135941 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:48.135198116 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:48.140558958 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:48.176647902 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:48.263973951 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:48.308248043 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:58.136471987 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:58.142061949 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:14:58.268068075 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:14:58.273787975 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:15:08.149786949 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:15:08.155224085 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:15:08.281362057 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:15:08.286868095 CET	80	49753	34.107.221.82	192.168.2.4
Oct 29, 2024 22:15:18.165225983 CET	49749	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:15:18.170660019 CET	80	49749	34.107.221.82	192.168.2.4
Oct 29, 2024 22:15:18.296828032 CET	49753	80	192.168.2.4	34.107.221.82
Oct 29, 2024 22:15:18.302222967 CET	80	49753	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 22:13:15.305042028 CET	51213	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:15.313699007 CET	53	51213	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:15.323079109 CET	49967	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:15.332349062 CET	53	49967	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.323257923 CET	50077	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.331805944 CET	53	50077	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.332958937 CET	57082	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.341387033 CET	53	57082	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.341908932 CET	50174	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.349987030 CET	53	50174	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.661777020 CET	55615	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.676297903 CET	60443	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.683830023 CET	53	60443	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.698451042 CET	50216	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.705955982 CET	53	50216	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.930350065 CET	49925	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.939270020 CET	53	49925	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.941760063 CET	55496	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.942981958 CET	59809	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.950347900 CET	53	55496	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.950839043 CET	49823	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.951114893 CET	53	59809	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.952476025 CET	51072	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.958722115 CET	58862	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.958790064 CET	53	49823	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.960463047 CET	53	51072	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.966645002 CET	53	58862	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.974881887 CET	59038	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.977060080 CET	55264	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:17.982656956 CET	53	59038	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:17.985008955 CET	53	55264	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:18.348372936 CET	64915	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:18.349081039 CET	57011	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:18.356726885 CET	53	64915	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:18.357033014 CET	53	57011	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:18.366952896 CET	49264	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:18.687165976 CET	49700	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:18.695126057 CET	53	49700	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:18.696187019 CET	55491	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:18.704081059 CET	53	55491	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:18.705188990 CET	57741	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:18.713246107 CET	53	57741	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:23.905906916 CET	64526	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:23.914307117 CET	53	64526	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:23.920540094 CET	60528	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:23.929913044 CET	53	60528	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:23.936942101 CET	53252	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:23.947217941 CET	53	53252	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:24.073295116 CET	52677	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:24.096590996 CET	61005	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:24.104788065 CET	53	61005	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:24.109236002 CET	62773	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:24.116971016 CET	53	62773	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:24.142793894 CET	62044	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:24.150537014 CET	53	62044	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:24.174007893 CET	53	53619	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:28.235210896 CET	53639	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:28.243105888 CET	53	53639	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:29.070910931 CET	51467	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:29.079653025 CET	53	51467	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:29.080158949 CET	50083	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:29.088422060 CET	53	50083	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:30.784998894 CET	53547	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:30.792490959 CET	53	53547	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:30.794723034 CET	49841	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:30.802201986 CET	53	49841	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:30.816684008 CET	58149	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:30.824830055 CET	53	58149	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:34.960649967 CET	49452	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:34.969158888 CET	53	49452	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:35.018769979 CET	60766	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:35.027714014 CET	53	60766	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.546287060 CET	64793	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.546287060 CET	57085	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.546567917 CET	52925	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.554495096 CET	53	52925	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.554537058 CET	53	57085	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.554876089 CET	53	64793	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.555193901 CET	57694	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.555486917 CET	51763	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.555860043 CET	51192	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.562968969 CET	53	51763	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.563518047 CET	55950	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.563604116 CET	53	57694	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.563635111 CET	53	51192	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.564014912 CET	52960	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.564155102 CET	54679	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.571295977 CET	53	55950	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.571470022 CET	53	52960	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.571597099 CET	53	54679	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.571868896 CET	64303	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.572382927 CET	63988	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.579587936 CET	53	64303	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.580152035 CET	65505	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.580176115 CET	53	63988	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.580671072 CET	60320	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.588268042 CET	53	65505	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.588396072 CET	53	60320	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.588798046 CET	61146	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.588903904 CET	50247	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:39.596112013 CET	53	61146	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:39.596287012 CET	53	50247	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:43.970057011 CET	58355	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:43.978049994 CET	53	58355	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:43.989123106 CET	62583	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:43.997576952 CET	53	62583	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:43.999524117 CET	65379	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:44.008500099 CET	53	65379	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:44.009021997 CET	63217	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:44.016381025 CET	53	63217	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:44.016424894 CET	54744	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:44.024544954 CET	53	54744	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:44.033185005 CET	59862	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:44.041374922 CET	53	59862	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:44.042537928 CET	51790	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:44.050339937 CET	53	51790	1.1.1.1	192.168.2.4
Oct 29, 2024 22:13:45.606178999 CET	59632	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:13:45.614691019 CET	53	59632	1.1.1.1	192.168.2.4
Oct 29, 2024 22:14:06.517364979 CET	50507	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:14:06.525063992 CET	53	50507	1.1.1.1	192.168.2.4
Oct 29, 2024 22:14:06.526664972 CET	55029	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:14:06.534387112 CET	53	55029	1.1.1.1	192.168.2.4
Oct 29, 2024 22:14:07.152893066 CET	56626	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:14:14.125900030 CET	52349	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:14:14.133420944 CET	53	52349	1.1.1.1	192.168.2.4
Oct 29, 2024 22:14:14.803903103 CET	64399	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:14:14.806360960 CET	59826	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:14:14.816354990 CET	53	59826	1.1.1.1	192.168.2.4
Oct 29, 2024 22:14:47.381448984 CET	51985	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:14:47.388712883 CET	53	51985	1.1.1.1	192.168.2.4
Oct 29, 2024 22:14:47.389825106 CET	63457	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:14:47.397624969 CET	53	63457	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 22:13:15.305042028 CET	192.168.2.4	1.1.1.1	0xea6a	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:15.323079109 CET	192.168.2.4	1.1.1.1	0x474	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 22:13:17.323257923 CET	192.168.2.4	1.1.1.1	0x1a63	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.332958937 CET	192.168.2.4	1.1.1.1	0xfc33	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.341908932 CET	192.168.2.4	1.1.1.1	0x76ae	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 29, 2024 22:13:17.661777020 CET	192.168.2.4	1.1.1.1	0x1632	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.676297903 CET	192.168.2.4	1.1.1.1	0x6fce	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.698451042 CET	192.168.2.4	1.1.1.1	0xbac2	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 22:13:17.930350065 CET	192.168.2.4	1.1.1.1	0x78f	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.941760063 CET	192.168.2.4	1.1.1.1	0x9420	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.942981958 CET	192.168.2.4	1.1.1.1	0x7c79	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.950839043 CET	192.168.2.4	1.1.1.1	0x50a3	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 22:13:17.952476025 CET	192.168.2.4	1.1.1.1	0x148a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.958722115 CET	192.168.2.4	1.1.1.1	0xbccb	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.974881887 CET	192.168.2.4	1.1.1.1	0xf69f	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 22:13:17.977060080 CET	192.168.2.4	1.1.1.1	0x8216	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 22:13:18.348372936 CET	192.168.2.4	1.1.1.1	0x47ca	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.349081039 CET	192.168.2.4	1.1.1.1	0x9cc1	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.366952896 CET	192.168.2.4	1.1.1.1	0x4f8a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.687165976 CET	192.168.2.4	1.1.1.1	0x7ec6	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.696187019 CET	192.168.2.4	1.1.1.1	0x1464	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.705188990 CET	192.168.2.4	1.1.1.1	0x9579	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 22:13:23.905906916 CET	192.168.2.4	1.1.1.1	0xf034	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:23.920540094 CET	192.168.2.4	1.1.1.1	0xd4d4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:23.936942101 CET	192.168.2.4	1.1.1.1	0x98ef	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 22:13:24.073295116 CET	192.168.2.4	1.1.1.1	0x359b	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:24.096590996 CET	192.168.2.4	1.1.1.1	0xa91b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:24.109236002 CET	192.168.2.4	1.1.1.1	0x4518	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:24.142793894 CET	192.168.2.4	1.1.1.1	0x19a8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 22:13:28.235210896 CET	192.168.2.4	1.1.1.1	0x36cb	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 22:13:29.070910931 CET	192.168.2.4	1.1.1.1	0xadec	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:29.080158949 CET	192.168.2.4	1.1.1.1	0x51d0	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 22:13:30.784998894 CET	192.168.2.4	1.1.1.1	0x20a0	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:30.794723034 CET	192.168.2.4	1.1.1.1	0x541c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:30.816684008 CET	192.168.2.4	1.1.1.1	0x54bd	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 22:13:34.960649967 CET	192.168.2.4	1.1.1.1	0xaec1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 22:13:35.018769979 CET	192.168.2.4	1.1.1.1	0xf1ac	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 22:13:39.546287060 CET	192.168.2.4	1.1.1.1	0xd9ac	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.546287060 CET	192.168.2.4	1.1.1.1	0xd0aa	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.546567917 CET	192.168.2.4	1.1.1.1	0x3b6e	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.555193901 CET	192.168.2.4	1.1.1.1	0x2c70	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.555486917 CET	192.168.2.4	1.1.1.1	0xf003	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.555860043 CET	192.168.2.4	1.1.1.1	0x85be	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.563518047 CET	192.168.2.4	1.1.1.1	0xcf5b	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 29, 2024 22:13:39.564014912 CET	192.168.2.4	1.1.1.1	0xdd8a	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 29, 2024 22:13:39.564155102 CET	192.168.2.4	1.1.1.1	0xb0c3	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 29, 2024 22:13:39.571868896 CET	192.168.2.4	1.1.1.1	0x72d6	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.572382927 CET	192.168.2.4	1.1.1.1	0x3cf2	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.580152035 CET	192.168.2.4	1.1.1.1	0xf716	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.580671072 CET	192.168.2.4	1.1.1.1	0x444f	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.588798046 CET	192.168.2.4	1.1.1.1	0xba4d	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 29, 2024 22:13:39.588903904 CET	192.168.2.4	1.1.1.1	0x405b	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 29, 2024 22:13:43.970057011 CET	192.168.2.4	1.1.1.1	0x2a87	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 22:13:43.989123106 CET	192.168.2.4	1.1.1.1	0x44c1	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:43.999524117 CET	192.168.2.4	1.1.1.1	0xd4c5	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:44.009021997 CET	192.168.2.4	1.1.1.1	0xa5c5	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 29, 2024 22:13:44.016424894 CET	192.168.2.4	1.1.1.1	0x9e1c	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:44.033185005 CET	192.168.2.4	1.1.1.1	0xf03f	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:44.042537928 CET	192.168.2.4	1.1.1.1	0xb71a	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 22:13:45.606178999 CET	192.168.2.4	1.1.1.1	0xfce8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 22:14:06.517364979 CET	192.168.2.4	1.1.1.1	0xf5a8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:14:06.526664972 CET	192.168.2.4	1.1.1.1	0xb201	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 22:14:07.152893066 CET	192.168.2.4	1.1.1.1	0xfdb1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:14:14.125900030 CET	192.168.2.4	1.1.1.1	0x4abf	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 22:14:14.803903103 CET	192.168.2.4	1.1.1.1	0xae12	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:14:14.806360960 CET	192.168.2.4	1.1.1.1	0xeba4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 22:14:47.381448984 CET	192.168.2.4	1.1.1.1	0x5ed6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:14:47.389825106 CET	192.168.2.4	1.1.1.1	0x9db8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 22:13:15.270766020 CET	1.1.1.1	192.168.2.4	0x2513	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:15.313699007 CET	1.1.1.1	192.168.2.4	0xea6a	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.331805944 CET	1.1.1.1	192.168.2.4	0x1a63	No error (0)	youtube.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.341387033 CET	1.1.1.1	192.168.2.4	0xfc33	No error (0)	youtube.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.349987030 CET	1.1.1.1	192.168.2.4	0x76ae	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 29, 2024 22:13:17.669682026 CET	1.1.1.1	192.168.2.4	0x1632	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:17.669682026 CET	1.1.1.1	192.168.2.4	0x1632	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.683830023 CET	1.1.1.1	192.168.2.4	0x6fce	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.705955982 CET	1.1.1.1	192.168.2.4	0xbac2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 22:13:17.939270020 CET	1.1.1.1	192.168.2.4	0x78f	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.950347900 CET	1.1.1.1	192.168.2.4	0x9420	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.951114893 CET	1.1.1.1	192.168.2.4	0x7c79	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:17.951114893 CET	1.1.1.1	192.168.2.4	0x7c79	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.957536936 CET	1.1.1.1	192.168.2.4	0x95a9	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:17.957536936 CET	1.1.1.1	192.168.2.4	0x95a9	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.960463047 CET	1.1.1.1	192.168.2.4	0x148a	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:17.966645002 CET	1.1.1.1	192.168.2.4	0xbccb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.356726885 CET	1.1.1.1	192.168.2.4	0x47ca	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.357033014 CET	1.1.1.1	192.168.2.4	0x9cc1	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.357033014 CET	1.1.1.1	192.168.2.4	0x9cc1	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.375433922 CET	1.1.1.1	192.168.2.4	0x4f8a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:18.375433922 CET	1.1.1.1	192.168.2.4	0x4f8a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.695126057 CET	1.1.1.1	192.168.2.4	0x7ec6	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:18.695126057 CET	1.1.1.1	192.168.2.4	0x7ec6	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:18.695126057 CET	1.1.1.1	192.168.2.4	0x7ec6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.704081059 CET	1.1.1.1	192.168.2.4	0x1464	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:18.713246107 CET	1.1.1.1	192.168.2.4	0x9579	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 22:13:23.914307117 CET	1.1.1.1	192.168.2.4	0xf034	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:23.914307117 CET	1.1.1.1	192.168.2.4	0xf034	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:23.914307117 CET	1.1.1.1	192.168.2.4	0xf034	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:23.929913044 CET	1.1.1.1	192.168.2.4	0xd4d4	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:24.083910942 CET	1.1.1.1	192.168.2.4	0x359b	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:24.104788065 CET	1.1.1.1	192.168.2.4	0xa91b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:24.116971016 CET	1.1.1.1	192.168.2.4	0x4518	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:28.241797924 CET	1.1.1.1	192.168.2.4	0xce20	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:28.241797924 CET	1.1.1.1	192.168.2.4	0xce20	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:29.069998980 CET	1.1.1.1	192.168.2.4	0xf71c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:29.079653025 CET	1.1.1.1	192.168.2.4	0xadec	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:30.045347929 CET	1.1.1.1	192.168.2.4	0xaa19	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:30.792490959 CET	1.1.1.1	192.168.2.4	0x20a0	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:30.792490959 CET	1.1.1.1	192.168.2.4	0x20a0	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:30.802201986 CET	1.1.1.1	192.168.2.4	0x541c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554495096 CET	1.1.1.1	192.168.2.4	0x3b6e	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554495096 CET	1.1.1.1	192.168.2.4	0x3b6e	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554537058 CET	1.1.1.1	192.168.2.4	0xd0aa	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554876089 CET	1.1.1.1	192.168.2.4	0xd9ac	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:39.554876089 CET	1.1.1.1	192.168.2.4	0xd9ac	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.562968969 CET	1.1.1.1	192.168.2.4	0xf003	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.563604116 CET	1.1.1.1	192.168.2.4	0x2c70	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.563635111 CET	1.1.1.1	192.168.2.4	0x85be	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.571295977 CET	1.1.1.1	192.168.2.4	0xcf5b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 22:13:39.571295977 CET	1.1.1.1	192.168.2.4	0xcf5b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 22:13:39.571295977 CET	1.1.1.1	192.168.2.4	0xcf5b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 22:13:39.571295977 CET	1.1.1.1	192.168.2.4	0xcf5b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 22:13:39.571470022 CET	1.1.1.1	192.168.2.4	0xdd8a	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 29, 2024 22:13:39.571597099 CET	1.1.1.1	192.168.2.4	0xb0c3	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 29, 2024 22:13:39.579587936 CET	1.1.1.1	192.168.2.4	0x72d6	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:39.579587936 CET	1.1.1.1	192.168.2.4	0x72d6	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.579587936 CET	1.1.1.1	192.168.2.4	0x72d6	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.579587936 CET	1.1.1.1	192.168.2.4	0x72d6	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.579587936 CET	1.1.1.1	192.168.2.4	0x72d6	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.580176115 CET	1.1.1.1	192.168.2.4	0x3cf2	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.588268042 CET	1.1.1.1	192.168.2.4	0xf716	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.588268042 CET	1.1.1.1	192.168.2.4	0xf716	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.588268042 CET	1.1.1.1	192.168.2.4	0xf716	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.588268042 CET	1.1.1.1	192.168.2.4	0xf716	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:39.588396072 CET	1.1.1.1	192.168.2.4	0x444f	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:43.997576952 CET	1.1.1.1	192.168.2.4	0x44c1	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:43.997576952 CET	1.1.1.1	192.168.2.4	0x44c1	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:43.997576952 CET	1.1.1.1	192.168.2.4	0x44c1	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:43.997576952 CET	1.1.1.1	192.168.2.4	0x44c1	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:44.008500099 CET	1.1.1.1	192.168.2.4	0xd4c5	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:44.008500099 CET	1.1.1.1	192.168.2.4	0xd4c5	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:44.008500099 CET	1.1.1.1	192.168.2.4	0xd4c5	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:44.008500099 CET	1.1.1.1	192.168.2.4	0xd4c5	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:44.016381025 CET	1.1.1.1	192.168.2.4	0xa5c5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 22:13:44.016381025 CET	1.1.1.1	192.168.2.4	0xa5c5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 22:13:44.016381025 CET	1.1.1.1	192.168.2.4	0xa5c5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 22:13:44.016381025 CET	1.1.1.1	192.168.2.4	0xa5c5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 22:13:44.024544954 CET	1.1.1.1	192.168.2.4	0x9e1c	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:44.024544954 CET	1.1.1.1	192.168.2.4	0x9e1c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:44.041374922 CET	1.1.1.1	192.168.2.4	0xf03f	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:13:45.259485960 CET	1.1.1.1	192.168.2.4	0xba27	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:13:45.259485960 CET	1.1.1.1	192.168.2.4	0xba27	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:14:06.525063992 CET	1.1.1.1	192.168.2.4	0xf5a8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:14:07.160681009 CET	1.1.1.1	192.168.2.4	0xfdb1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:14:07.160681009 CET	1.1.1.1	192.168.2.4	0xfdb1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:14:14.116868973 CET	1.1.1.1	192.168.2.4	0xd317	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:14:14.811808109 CET	1.1.1.1	192.168.2.4	0xae12	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 22:14:14.811808109 CET	1.1.1.1	192.168.2.4	0xae12	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:14:47.388712883 CET	1.1.1.1	192.168.2.4	0x5ed6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	5080	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 22:13:17.715981007 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:18.324840069 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23612 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	34.107.221.82	80	5080	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 22:13:18.385312080 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:18.981986046 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35491 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	5080	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 22:13:18.722285032 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:19.336874008 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23613 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:20.212815046 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:20.339437008 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23614 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:24.005816936 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:24.133351088 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23618 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:29.741440058 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:29.866815090 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23623 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:31.288064003 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:31.416743040 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23625 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:32.011826992 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:32.137223005 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23626 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:34.952222109 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:35.078502893 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23629 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:35.594494104 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:35.719569921 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23629 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:37.905143023 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:38.031203985 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23631 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:38.522838116 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:38.648093939 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23632 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:44.621275902 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:44.747497082 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23638 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:44.951230049 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:45.075938940 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23639 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:45.248512983 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:45.373512983 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23639 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:46.245393038 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:46.390552998 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23640 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:13:51.506815910 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:13:51.637164116 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23645 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:14:01.644440889 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:14:07.152641058 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:14:07.279198885 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23661 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:14:14.803261995 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:14:14.928308010 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23668 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:14:15.422413111 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:14:15.547265053 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23669 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:14:25.559146881 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:14:35.571444988 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:14:45.585421085 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:14:48.005633116 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 22:14:48.131135941 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 23702 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 22:14:58.136471987 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:15:08.149786949 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:15:18.165225983 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49753	34.107.221.82	80	5080	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 22:13:20.100672960 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:20.706851006 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35493 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:20.841059923 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:20.978498936 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35493 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:29.060430050 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:29.188456059 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35502 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:30.380023956 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:30.556818008 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35503 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:31.573097944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:31.956809998 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35504 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:32.000227928 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35504 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:33.823177099 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:33.950434923 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35506 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:35.087420940 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:35.216517925 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35508 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:35.723591089 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:35.861164093 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35508 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:38.034559011 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:38.161870956 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35511 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:38.651065111 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:38.780415058 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35511 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:44.750567913 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:44.878680944 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35517 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:45.078849077 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:45.205964088 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35518 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:45.376236916 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:45.504854918 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35518 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:46.393452883 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:46.526299953 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35519 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:13:51.640640020 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:13:51.771903038 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35524 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:14:01.782694101 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:14:07.282607079 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:14:07.413830996 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35540 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:14:14.971955061 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:14:15.099267006 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35548 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:14:15.549993992 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:14:15.677680016 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35548 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:14:25.690700054 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:14:35.703028917 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:14:45.716953039 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:14:48.135198116 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 22:14:48.263973951 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 11:21:47 GMT Age: 35581 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 22:14:58.268068075 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:15:08.281362057 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 22:15:18.296828032 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	17:13:08
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x800000
File size:	919'552 bytes
MD5 hash:	2B3523ADFEDE40FCC0910D8D35A35CF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:13:08
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xe90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:13:08
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:13:11
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xe90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:13:11
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:13:11
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xe90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:13:11
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:13:11
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xe90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:13:11
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:13:11
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xe90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:13:11
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:13:11
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:13:12
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:13:12
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	17:13:12
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e90625-3af1-419d-b329-d47348c99b65} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204cee70110 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	17:13:14
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -parentBuildID 20230927232528 -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe80c1c2-3d88-4182-86bc-9713acac0c0a} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204deae0510 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	17:13:29
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5032 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 4912 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abcfe1b7-5ad9-4851-a943-b22c8fa72fb9} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 204e772f910 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1540
Total number of Limit Nodes:	53

Executed Functions

Function 008042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0080430D

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

GetCurrentProcess.KERNEL32(?,0089CB64,00000000,?,?), ref: 00804422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00804429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00804454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00804466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00804474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0080447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008044A0

Strings

|O, xrefs: 008436F8
GetNativeSystemInfo, xrefs: 00804460
kernel32.dll, xrefs: 0080444F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: bbca0355d8f7c273a56c356c637808a1adb54821b64df1b41161735767f7c367
Instruction ID: f329c84199354af2a60285fbdb99c8b3c8eb84952a86b822589fce43d9c30b15
Opcode Fuzzy Hash: bbca0355d8f7c273a56c356c637808a1adb54821b64df1b41161735767f7c367
Instruction Fuzzy Hash: C7A1C5A190B7C4FFCF19D769BC491967FA5FF26304B085AABE081D3B62D2384508CB25

Function 008042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008050AA,?,?,00000000,00000000), ref: 008042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008050AA,?,?,00000000,00000000), ref: 008042C9
LoadResource.KERNEL32(?,00000000,?,?,008050AA,?,?,00000000,00000000,?,?,?,?,?,?,00804F20), ref: 008435BE
SizeofResource.KERNEL32(?,00000000,?,?,008050AA,?,?,00000000,00000000,?,?,?,?,?,?,00804F20), ref: 008435D3
LockResource.KERNEL32(008050AA,?,?,008050AA,?,?,00000000,00000000,?,?,?,?,?,?,00804F20,?), ref: 008435E6

Strings

SCRIPT, xrefs: 008042BF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 654b4a078150d70d248763fe40da1ffb74e28eb41c28825172f6f531ad3b9819
Instruction ID: c9af704d2635dff017b091eec1734176d7d85ec35c3431d55387d4fdb02fa784
Opcode Fuzzy Hash: 654b4a078150d70d248763fe40da1ffb74e28eb41c28825172f6f531ad3b9819
Instruction Fuzzy Hash: 1D117CB0240701BFDB219BA5DC48F277BB9FBC5B51F14416AB512D6290DBB2D8008630

Function 00842BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00802B6B

Part of subcall function 00803A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008D1418,?,00802E7F,?,?,?,00000000), ref: 00803A78

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008C2224), ref: 00842C10
ShellExecuteW.SHELL32(00000000,?,?,008C2224), ref: 00842C17

Strings

runas, xrefs: 00842C0B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 19647ff7a8d4cdfa3bc90c3a5a8f0e735ce21a6b40bbf764d8bd5cbddc1cc79a
Instruction ID: 9196b3ecaa36445f24c782043721f103306d3afc0f634998123c580b544ac370
Opcode Fuzzy Hash: 19647ff7a8d4cdfa3bc90c3a5a8f0e735ce21a6b40bbf764d8bd5cbddc1cc79a
Instruction Fuzzy Hash: FB11C331208245AACB54FF68DC56A6E77A9FF90710F44052EF182C21E3CF6185498713

Function 0086D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0086D501
Process32FirstW.KERNEL32(00000000,?), ref: 0086D50F
Process32NextW.KERNEL32(00000000,?), ref: 0086D52F
CloseHandle.KERNELBASE(00000000), ref: 0086D5DC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e819533a6682472e42c412793e0489c824cbfbd14c8a9d8173f82bbaff558e23
Instruction ID: 15878d53fa7ba46336164891de2bec6b4d5071e54e0702c28390ac88e389058c
Opcode Fuzzy Hash: e819533a6682472e42c412793e0489c824cbfbd14c8a9d8173f82bbaff558e23
Instruction Fuzzy Hash: EE316D715083009FD304EF58CC85AABBBE8FF99354F14092DF582C62A2EB719945CBA3

Function 0086DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00845222), ref: 0086DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0086DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0086DBEE
FindClose.KERNEL32(00000000), ref: 0086DBFA

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: c6789ca95c53bec43d94937e8816003ffe08bfd47821872a93f617d577291cdc
Instruction ID: d1865f2d52c12536042ecdae446e20da388d7512629ecd88f17f6e871a805e43
Opcode Fuzzy Hash: c6789ca95c53bec43d94937e8816003ffe08bfd47821872a93f617d577291cdc
Instruction Fuzzy Hash: 8BF0A030810A1857C220BBB8AC0D8AA376CFF41334F584703F836C22E0EBB2599486D9

Function 00824CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008328E9,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002,00000000,?,008328E9), ref: 00824D09
TerminateProcess.KERNEL32(00000000,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002,00000000,?,008328E9), ref: 00824D10
ExitProcess.KERNEL32 ref: 00824D22

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6f7fec4d84d3118d402d89501b6db590fee2f2e4dd7685c3a305e9a438f9df88
Instruction ID: 3034148376c99c869a87218ae51fba2d51a89c8c322925dfb1c2c8a4230e3ec9
Opcode Fuzzy Hash: 6f7fec4d84d3118d402d89501b6db590fee2f2e4dd7685c3a305e9a438f9df88
Instruction Fuzzy Hash: A7E0B631000158AFCF11BF54EE0AA583B69FB41B81F144015FC09CB222DB36DD82DAA0

Function 0088AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0088B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0088B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0088B1D4
_wcslen.LIBCMT ref: 0088B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0088B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0088B236
_wcslen.LIBCMT ref: 0088B332

Part of subcall function 008705A7: GetStdHandle.KERNEL32(000000F6), ref: 008705C6

_wcslen.LIBCMT ref: 0088B34B
_wcslen.LIBCMT ref: 0088B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0088B3B6
GetLastError.KERNEL32(00000000), ref: 0088B407
CloseHandle.KERNEL32(?), ref: 0088B439
CloseHandle.KERNEL32(00000000), ref: 0088B44A
CloseHandle.KERNEL32(00000000), ref: 0088B45C
CloseHandle.KERNEL32(00000000), ref: 0088B46E
CloseHandle.KERNEL32(?), ref: 0088B4E3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 6de5dc8f3cd9fe10eed1a1368feaef8e6ec82e3c7e94148aade30224bc238df5
Instruction ID: 08c62094ad9b498b75586de95bc3612b1613181c395253b9807713f1a29b8c88
Opcode Fuzzy Hash: 6de5dc8f3cd9fe10eed1a1368feaef8e6ec82e3c7e94148aade30224bc238df5
Instruction Fuzzy Hash: F4F159316082409FDB14EF28C891B6ABBE5FF85314F18855DF899DB2A2DB31EC45CB52

Function 0080D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0080D807
timeGetTime.WINMM ref: 0080DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080DB28
TranslateMessage.USER32(?), ref: 0080DB7B
DispatchMessageW.USER32(?), ref: 0080DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080DB9F
Sleep.KERNELBASE(0000000A), ref: 0080DBB1

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 2b4839b53b55d779d9f987357d4026bfc9c8020e122090c9e560daef6ce1ac27
Instruction ID: 494a858bb849e4e40eebacc1ebde2272fc3866ad984dff2ffad9317f40e0587e
Opcode Fuzzy Hash: 2b4839b53b55d779d9f987357d4026bfc9c8020e122090c9e560daef6ce1ac27
Instruction Fuzzy Hash: CE42EF30608345EFDB69DB68CC44BAABBE4FF46314F14865AE855C72D1DB70E848CB92

Function 00802CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00802D07
RegisterClassExW.USER32(00000030), ref: 00802D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00802D42
InitCommonControlsEx.COMCTL32(?), ref: 00802D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00802D6F
LoadIconW.USER32(000000A9), ref: 00802D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00802D94

Strings

AutoIt v3 GUI, xrefs: 00802D23
TaskbarCreated, xrefs: 00802D37
0, xrefs: 00802CE9
+, xrefs: 00802CF0

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9bee8c2309d32dc8a723a1441730b7d00e6e929c6165bfb4ce90161d07ee97f0
Instruction ID: df3db50f055d3b99cfb7b96d9ae8a5f2df3a49b760856df81af58cad61b356b1
Opcode Fuzzy Hash: 9bee8c2309d32dc8a723a1441730b7d00e6e929c6165bfb4ce90161d07ee97f0
Instruction Fuzzy Hash: 0F21B2B5902218BFDF00EFE4E859ADDBFB8FB08700F44821BE611A62A0D7B645448F91

Function 0084065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0084039A: CreateFileW.KERNELBASE(00000000,00000000,?,00840704,?,?,00000000,?,00840704,00000000,0000000C), ref: 008403B7

GetLastError.KERNEL32 ref: 0084076F
__dosmaperr.LIBCMT ref: 00840776
GetFileType.KERNELBASE(00000000), ref: 00840782
GetLastError.KERNEL32 ref: 0084078C
__dosmaperr.LIBCMT ref: 00840795
CloseHandle.KERNEL32(00000000), ref: 008407B5
CloseHandle.KERNEL32(?), ref: 008408FF
GetLastError.KERNEL32 ref: 00840931
__dosmaperr.LIBCMT ref: 00840938

Strings

H, xrefs: 008408BD

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1d9362f0844e668fc375580547bac65ee41d61c80f265b9731a64bd836cb5001
Instruction ID: 6fc4ce6580266b2c815bd44000edc5743c418e8db57cb6b33cf86b47c9c8e583
Opcode Fuzzy Hash: 1d9362f0844e668fc375580547bac65ee41d61c80f265b9731a64bd836cb5001
Instruction Fuzzy Hash: 20A10432A041188FDF19AF68D851BAE7BA0FB46324F24015AF915DB3D2DB359812CF92

Function 0080344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00803A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008D1418,?,00802E7F,?,?,?,00000000), ref: 00803A78

Part of subcall function 00803357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00803379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0080356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0084318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008431CE
RegCloseKey.ADVAPI32(?), ref: 00843210
_wcslen.LIBCMT ref: 00843277
_wcslen.LIBCMT ref: 00843286

Strings

Include, xrefs: 00843184, 008431C5
\, xrefs: 0084328C
\Include\, xrefs: 00803527
Software\AutoIt v3\AutoIt, xrefs: 00803560

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: a42413c27906075c509c71101cd347497f2e8cadd2cfb42762576b291c9384e6
Instruction ID: 893ee9e31a07382066c4631eb20e21af922257337beae35ede56a17b1148b438
Opcode Fuzzy Hash: a42413c27906075c509c71101cd347497f2e8cadd2cfb42762576b291c9384e6
Instruction Fuzzy Hash: 36717D715053059EC708EF69EC8296BBBE8FFA5340F40062EF555C32B1EB759A48CB62

Function 00802B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00802B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00802B9D
LoadIconW.USER32(00000063), ref: 00802BB3
LoadIconW.USER32(000000A4), ref: 00802BC5
LoadIconW.USER32(000000A2), ref: 00802BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00802BEF
RegisterClassExW.USER32(?), ref: 00802C40

Part of subcall function 00802CD4: GetSysColorBrush.USER32(0000000F), ref: 00802D07
Part of subcall function 00802CD4: RegisterClassExW.USER32(00000030), ref: 00802D31
Part of subcall function 00802CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00802D42
Part of subcall function 00802CD4: InitCommonControlsEx.COMCTL32(?), ref: 00802D5F
Part of subcall function 00802CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00802D6F
Part of subcall function 00802CD4: LoadIconW.USER32(000000A9), ref: 00802D85
Part of subcall function 00802CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00802D94

Strings

0, xrefs: 00802C0F
#, xrefs: 00802C16
AutoIt v3, xrefs: 00802C2F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f8044e34056d028948a556ce0dc0362133e23b67fe73bcdd79f30e8bb8674104
Instruction ID: f55872ac8698dee07965db42e0b70d3fe34a6d2b860c801ead410785b884de64
Opcode Fuzzy Hash: f8044e34056d028948a556ce0dc0362133e23b67fe73bcdd79f30e8bb8674104
Instruction Fuzzy Hash: 9C21F570A02318BBDF149FE9EC59AA97FB4FF48B50F44421BE604A67A0D7BA05408F90

Function 00803170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0080316A,?,?), ref: 008031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0080316A,?,?), ref: 00803204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00803227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0080316A,?,?), ref: 00803232
CreatePopupMenu.USER32 ref: 00803246
PostQuitMessage.USER32(00000000), ref: 00803267

Strings

TaskbarCreated, xrefs: 0080322D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4aac73e553e460ba11f172d02924ed5f59cab35bfb01a3df77be2b5814fb67dd
Instruction ID: 38f8e2aec67ed97606c0d76ba8f067471299283932bb78e5dbbd2d852525b570
Opcode Fuzzy Hash: 4aac73e553e460ba11f172d02924ed5f59cab35bfb01a3df77be2b5814fb67dd
Instruction Fuzzy Hash: 14412635244208BBDF556BBC9D2DB793B5DFF0A345F480227F902C62E1CB759A8097A2

Function 00801410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00801459
CoUninitialize.COMBASE ref: 008014F8
UnregisterHotKey.USER32(?), ref: 008016DD
DestroyWindow.USER32(?), ref: 008424B9
FreeLibrary.KERNEL32(?), ref: 0084251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0084254B

Strings

close all, xrefs: 00801454

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9b28cfe246599b25a29e5cfd7848413a627686fa74612d123bb93437b1a4ac5c
Instruction ID: b283cd2e03e50bc79f42c6d1ed1a00f4aa240776d90164d8992a03f264b907c5
Opcode Fuzzy Hash: 9b28cfe246599b25a29e5cfd7848413a627686fa74612d123bb93437b1a4ac5c
Instruction Fuzzy Hash: 6AD19B30705212CFCB69EF18C899A29F7A4FF04714F5541ADE54AEB2A2DB31AC12CF51

Function 00802C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00802C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00802CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00801CAD,?), ref: 00802CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00801CAD,?), ref: 00802CCF

Strings

edit, xrefs: 00802CAC
AutoIt v3, xrefs: 00802C89, 00802C8E, 00802C8F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d906b69c6e79fbe2441b948d14a1e498dac6e11923b5ea00e23d8b40d68d2189
Instruction ID: e6c95941ec7491ce14f366181bda6ae87b1ea91f1e5401d054c67e5c12176d2f
Opcode Fuzzy Hash: d906b69c6e79fbe2441b948d14a1e498dac6e11923b5ea00e23d8b40d68d2189
Instruction Fuzzy Hash: FDF0DA756412907BEF35175BAC0CE772FBDFBC6F60B04015BF904A26A0C66A1850DAB0

Function 00832DF8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,0082F2DE,00833863,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6), ref: 00832DFD
_free.LIBCMT ref: 00832E32
_free.LIBCMT ref: 00832E59
SetLastError.KERNEL32(00000000,00801129), ref: 00832E66
SetLastError.KERNEL32(00000000,00801129), ref: 00832E6F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2c96ed6fd8cb9f4a60b2b61f3c7f775b854dab8db4f2e0a5ab4a9762b6601972
Instruction ID: 947301319337a180b21aa59c433c480b885b843cdfbd15314ab002f15d3c9f72
Opcode Fuzzy Hash: 2c96ed6fd8cb9f4a60b2b61f3c7f775b854dab8db4f2e0a5ab4a9762b6601972
Instruction Fuzzy Hash: 560128322056006BCA1277797C47E2B2A6DFBC13B9F29012AF825E22D3EF789C0150E1

Function 00803B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00803B0F,SwapMouseButtons,00000004,?), ref: 00803B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00803B0F,SwapMouseButtons,00000004,?), ref: 00803B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00803B0F,SwapMouseButtons,00000004,?), ref: 00803B83

Strings

Control Panel\Mouse, xrefs: 00803B3E

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8387b6d54281ee9edf4f51090876f6d7c7c78ea482ca1ab88598e85a3e8f65fe
Instruction ID: 31d3b99abb07cd05d85d3ae7d287de5ae419290bd85404e2ef2cafef4ed5511c
Opcode Fuzzy Hash: 8387b6d54281ee9edf4f51090876f6d7c7c78ea482ca1ab88598e85a3e8f65fe
Instruction Fuzzy Hash: 261127B5611208FFDB609FA5DC95AAEBBBCFF04768B10846AA805D7150E3319E449BA0

Function 00803923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008433A2

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00803A04

Strings

Line: , xrefs: 008433EB

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ecb6f14db0628872de36ba330db151cffd712fc4b6b1c70c2c08a57d2933cabf
Instruction ID: cd53ddb2646827d7abb12137d815533da8ab92d2a11ea3ae3a99134aa95cd498
Opcode Fuzzy Hash: ecb6f14db0628872de36ba330db151cffd712fc4b6b1c70c2c08a57d2933cabf
Instruction Fuzzy Hash: 25319E71509304AAC765EB28EC49BEBB7ACFF40714F00462AF599C22D1EB749659C7C3

Function 0081FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00820668

Part of subcall function 008232A4: RaiseException.KERNEL32(?,?,?,0082068A,?,008D1444,?,?,?,?,?,?,0082068A,00801129,008C8738,00801129), ref: 00823304

__CxxThrowException@8.LIBVCRUNTIME ref: 00820685

Strings

Unknown exception, xrefs: 00820692

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 54f7112472c2c33793ab24844eb404bf55dea68cbe2745d57f4bde1d6c244617
Instruction ID: 89637452946456fafae98775fce12132d324648d7ef0c9529e51c28d5a8f61b9
Opcode Fuzzy Hash: 54f7112472c2c33793ab24844eb404bf55dea68cbe2745d57f4bde1d6c244617
Instruction Fuzzy Hash: 8BF0AF2490031DA7CB00B6A8F856DAE7B6CFE10310B604535BA24D6593EF71DAE98982

Function 008010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00801BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00801BF4
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00801BFC
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00801C07
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00801C12
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00801C1A
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00801C22

Part of subcall function 00801B4A: RegisterWindowMessageW.USER32(00000004,?,008012C4), ref: 00801BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0080136A
OleInitialize.OLE32 ref: 00801388
CloseHandle.KERNEL32(00000000,00000000), ref: 008424AB

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 86ac691611fa658be3a7f54ed461e07f4acb96345998f818e464420cff46134a
Instruction ID: 62c053fbaa498c22c967736a51d5f3170d64f3c78805b9d86a5d442e76b34cb8
Opcode Fuzzy Hash: 86ac691611fa658be3a7f54ed461e07f4acb96345998f818e464420cff46134a
Instruction Fuzzy Hash: 037187B4A12200AECF84EFA9B94D6593BF6FF88354744832BD11AC72A2EB384444CF45

Function 0086C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00803923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00803A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0086C259
KillTimer.USER32(?,00000001,?,?), ref: 0086C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0086C270

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 13814ad846350d14d3e01af308a80383a92d67cdee6c1ad746176a0ac16342ff
Instruction ID: 4d921400b69d4f6fd7d02e110b93c162a6f87889c6490365e6d47badf3786ea2
Opcode Fuzzy Hash: 13814ad846350d14d3e01af308a80383a92d67cdee6c1ad746176a0ac16342ff
Instruction Fuzzy Hash: 40317370904354AFEB229F649895BE7BBECFF06308F05049AD6DAE7241C7745A84CB51

Function 008386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008385CC,?,008C8CC8,0000000C), ref: 00838704
GetLastError.KERNEL32(?,008385CC,?,008C8CC8,0000000C), ref: 0083870E
__dosmaperr.LIBCMT ref: 00838739

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 21309dbe6dca1ae4e4102069e98f4c453672324aaad13dd10268e1ee61547072
Instruction ID: f0885a963a080055d05a60c6c3498d49ef7968c0b0763da95a441824c0ec279c
Opcode Fuzzy Hash: 21309dbe6dca1ae4e4102069e98f4c453672324aaad13dd10268e1ee61547072
Instruction Fuzzy Hash: C0012B3260572097D6246338694A77E6759FBD2778F39021EF815CB2D2EEA18C8181D1

Function 0080DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0080DB7B
DispatchMessageW.USER32(?), ref: 0080DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080DB9F
Sleep.KERNELBASE(0000000A), ref: 0080DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00851CC9

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 06a05c2dae178bb6d1111eaeb21bdc19206b2b841cf06b682827c9775ebc1dfc
Instruction ID: ec411767df4fc7244570706bf412f2cc5cca364a82466a9981ea089c9b6cad3e
Opcode Fuzzy Hash: 06a05c2dae178bb6d1111eaeb21bdc19206b2b841cf06b682827c9775ebc1dfc
Instruction Fuzzy Hash: 5CF05430604344ABEB70D7E48C59FEA73ACFF44311F144625E619C30C0DB319448DB15

Function 00811310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008117F6

Strings

CALL, xrefs: 008117C6

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 684a1b66f987d986d5df081844b420365a578de4d52a19b0747fee7d0b00bf5f
Instruction ID: 9868fa37f90d6841fdd3669ee0d46e6c3ed874c22d7e9ae8ab0515bd073cec81
Opcode Fuzzy Hash: 684a1b66f987d986d5df081844b420365a578de4d52a19b0747fee7d0b00bf5f
Instruction Fuzzy Hash: 3F228D706082019FCB14DF18C484AAABBF6FF95314F54896DF996CB3A2D731E895CB42

Function 00802DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00842C8C

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

Part of subcall function 00802DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00802DC4

Strings

X, xrefs: 00842C5A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: ce6e067db539c5657cd144fc15c87f1502aa9ccafb65463d04e9e09ce6bcea27
Instruction ID: 657a949650e6b9a07b9e89d19888cb7476467baa411abfc62a6e88b36d5fbdee
Opcode Fuzzy Hash: ce6e067db539c5657cd144fc15c87f1502aa9ccafb65463d04e9e09ce6bcea27
Instruction Fuzzy Hash: AB218471A0025C9ADB45EF98CC49BDE7BB8FF49314F00405AE505E7281DBB499998B61

Function 00803837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00803908

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6f05aed33059bec3cc3b049dfa6284592dd6b61976aed1f7d528db3b04ff4fa6
Instruction ID: c20cf37dd8f66fe58e95674bc7b76054eaabd340bfa437d5d3ab82625db6c552
Opcode Fuzzy Hash: 6f05aed33059bec3cc3b049dfa6284592dd6b61976aed1f7d528db3b04ff4fa6
Instruction Fuzzy Hash: D3317C706057019FD760DF24D888797BBE8FB49708F000A6EF59AC3390E775AA44CB52

Function 0081F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0081F661

Part of subcall function 0080D730: GetInputState.USER32 ref: 0080D807

Sleep.KERNEL32(00000000), ref: 0085F2DE

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 10d35a0785a306a4af7e216dc1ce67300e643d9a9960b2e10a3d8437284135ee
Instruction ID: ff47775cdeee85e1e4db5ff9c95332c2723e9bcc165af3a88bf0988aa738ec2b
Opcode Fuzzy Hash: 10d35a0785a306a4af7e216dc1ce67300e643d9a9960b2e10a3d8437284135ee
Instruction Fuzzy Hash: E8F08C71240205AFD350FF69D849B6AB7E8FF49761F00006AE85DC73A1DB70AC00CB91

Function 00804ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00804E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00804EDD,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E9C
Part of subcall function 00804E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00804EAE
Part of subcall function 00804E90: FreeLibrary.KERNEL32(00000000,?,?,00804EDD,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804EFD

Part of subcall function 00804E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00843CDE,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E62
Part of subcall function 00804E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00804E74
Part of subcall function 00804E59: FreeLibrary.KERNEL32(00000000,?,?,00843CDE,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E87

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: e3f93ca5fbeff3a724c9f63929a43d1cf516271c9ca1bdfe460d024ae6886496
Instruction ID: d38c14d517267b7300559f5c2ac08fea5fdae2bfdf3748b07cb449f584851da8
Opcode Fuzzy Hash: e3f93ca5fbeff3a724c9f63929a43d1cf516271c9ca1bdfe460d024ae6886496
Instruction Fuzzy Hash: DB1123B2640206AACF20BB68DC03FAD77A5FF40711F10842EF642E61C1EEB19A049B52

Function 00838402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00838440

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 23706d2a297f3054b8549b17d697751e836af98166d6b4cd67e14e08a24c0a23
Instruction ID: ee36ca4796ca84cd5fd59d3020713b597c47fa7d0358672cb5abb6f49d926f20
Opcode Fuzzy Hash: 23706d2a297f3054b8549b17d697751e836af98166d6b4cd67e14e08a24c0a23
Instruction Fuzzy Hash: 5711067590420AEFCF15DF58E94199A7BF9FF88314F104059F808EB312DA31DA118BA5

Function 0082E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 851a8655385276aef9014ca9ce64b1e2fe5f639e1a4de4827b2490e01f03d140
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8DF0D132510A34A6C6313E6DAC15B5A3798FFA2335F100725F821D22D2DA74A881C6EA

Function 00834C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00801129,00000000,?,00832E29,00000001,00000364,?,?,?,0082F2DE,00833863,008D1444,?,0081FDF5,?), ref: 00834CBE

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 33a5bd2fade072d22981a63530a5f2db6370380cebb4ff53b5a4dd1bde7502d8
Instruction ID: a069b476b3ab06aaec086e6c167aed04d7bcc28140c88ac4b4423bd5b9072d21
Opcode Fuzzy Hash: 33a5bd2fade072d22981a63530a5f2db6370380cebb4ff53b5a4dd1bde7502d8
Instruction Fuzzy Hash: 82F0B431603234A7DB215F66AC09B5A3788FFC17A0F157122B815E6291CAB1FC0386E1

Function 00833820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 56d55048caafc8db54be9552bb9301890e2d316415faa0e301810620c93acae8
Instruction ID: ade356c16376ee50ecaadcf1537fccf20bfd578f0ce23805217619a57c4369bf
Opcode Fuzzy Hash: 56d55048caafc8db54be9552bb9301890e2d316415faa0e301810620c93acae8
Instruction Fuzzy Hash: 06E0E531101234A7EA212AAAAC04B9A3748FFC27B0F050131BD14D25A1CB61DE0181E5

Function 00804F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804F6D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b0e4c6d1fa0a2395400e2e887635ccf2422077867cfcc4acf2937a3a59b3e05c
Instruction ID: c35af79f8ac3e735dea3417aff2224d6032f1dfb26fe883ad36175beb715972c
Opcode Fuzzy Hash: b0e4c6d1fa0a2395400e2e887635ccf2422077867cfcc4acf2937a3a59b3e05c
Instruction Fuzzy Hash: 02F039B1145752CFDB749F64E890822BBE4FF14329324997EE3EAC2661CB329884DF10

Function 00892A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00892A66

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 92ae2fce7b99156ddbfc3fe7785e7ac71f9798c135d3c53e1a8964c88c7cbaf9
Instruction ID: 7ad4ea13fd6c14b8da59927921890f427722dd9813a916345d1c6b540b221861
Opcode Fuzzy Hash: 92ae2fce7b99156ddbfc3fe7785e7ac71f9798c135d3c53e1a8964c88c7cbaf9
Instruction Fuzzy Hash: 9AE04F7735412ABACB14FA34DC809FE779CFB61399714453AAC1AC2540DB30999586A0

Function 008030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0080314E

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b529ff287568d5dd85abaf739331581522f65a099f799e06fddbdeb53eba6e2c
Instruction ID: b072315c2716c10c96f63da866f502b2f2b74f40f035ce41a88a95f6fe2df49e
Opcode Fuzzy Hash: b529ff287568d5dd85abaf739331581522f65a099f799e06fddbdeb53eba6e2c
Instruction Fuzzy Hash: 97F03770A14314AFEB56DB24DC497D57BBCBB05708F0401E6E548D6291D7745788CF51

Function 00802DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00802DC4

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fd9e3334b28eb8db331c67e95b5d439942c68ca17e72d7b68a4adad76397c1cb
Instruction ID: 858986f5f442de7eb73410e9bfff685936a779b7384f81cf979899d16d2aa7b8
Opcode Fuzzy Hash: fd9e3334b28eb8db331c67e95b5d439942c68ca17e72d7b68a4adad76397c1cb
Instruction Fuzzy Hash: 72E0CD726001245BCB10E79C9C05FDA77DDFFC8790F040071FD09D7248DE60AD848551

Function 00802B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00803837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00803908

Part of subcall function 0080D730: GetInputState.USER32 ref: 0080D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00802B6B

Part of subcall function 008030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0080314E

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f13a2bab8090b92138c915b30f968fa9d90ed55c0323cb25ec8249f670abcecf
Instruction ID: d85155a290440a413154086bf87ec154194f5424e485b5572ed7ecf39822d219
Opcode Fuzzy Hash: f13a2bab8090b92138c915b30f968fa9d90ed55c0323cb25ec8249f670abcecf
Instruction Fuzzy Hash: DEE04F2120424416CA44BBA89C5656DA75AFF95351F40563FF142C22E3CE6545494253

Function 0084039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00840704,?,?,00000000,?,00840704,00000000,0000000C), ref: 008403B7

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28f5b7073634626168d1ec16c08f0a2673901c4679c8af837fba16f76b82ff53
Instruction ID: f542be9cb611d7b903a5267135741704c902b5721b6b4d412979159f1caed584
Opcode Fuzzy Hash: 28f5b7073634626168d1ec16c08f0a2673901c4679c8af837fba16f76b82ff53
Instruction Fuzzy Hash: 74D06C3204010DBBDF029F84DD06EDA3BAAFB48714F014000BE1856020C732E821AB94

Function 00801CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00801CBC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b9bb6e47159819e35484c1c813c1d92e16a87c426a3aee45bdde00d31f55fc3d
Instruction ID: ef5b4b9eb0b2dccfee2f2b68eaf0e31366e84edc7afcb3ac560b13a00a23b26f
Opcode Fuzzy Hash: b9bb6e47159819e35484c1c813c1d92e16a87c426a3aee45bdde00d31f55fc3d
Instruction Fuzzy Hash: E2C09236281304AFF6189B84BC4EF107764B758B00F488203F609A96E3C3A22820EA50

Non-executed Functions

Function 00899576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0089961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0089965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0089969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008996C9
SendMessageW.USER32 ref: 008996F2
GetKeyState.USER32(00000011), ref: 0089978B
GetKeyState.USER32(00000009), ref: 00899798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008997AE
GetKeyState.USER32(00000010), ref: 008997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008997E9
SendMessageW.USER32 ref: 00899810
SendMessageW.USER32(?,00001030,?,00897E95), ref: 00899918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0089992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00899941
SetCapture.USER32(?), ref: 0089994A
ClientToScreen.USER32(?,?), ref: 008999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008999D6
ReleaseCapture.USER32 ref: 008999E1
GetCursorPos.USER32(?), ref: 00899A19
ScreenToClient.USER32(?,?), ref: 00899A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00899A80
SendMessageW.USER32 ref: 00899AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00899AEB
SendMessageW.USER32 ref: 00899B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00899B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00899B4A
GetCursorPos.USER32(?), ref: 00899B68
ScreenToClient.USER32(?,?), ref: 00899B75
GetParent.USER32(?), ref: 00899B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00899BFA
SendMessageW.USER32 ref: 00899C2B
ClientToScreen.USER32(?,?), ref: 00899C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00899CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00899CDE
SendMessageW.USER32 ref: 00899D01
ClientToScreen.USER32(?,?), ref: 00899D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00899D82

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

GetWindowLongW.USER32(?,000000F0), ref: 00899E05

Strings

F, xrefs: 00899D07
@GUI_DRAGID, xrefs: 0089997D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 621e95c1e8588867a217cee80fc642b7ca3ac2ba02599fd8a2a5764f0ab8dff9
Instruction ID: 4dfad334bc93eb3ba9dd3ee529ce6535f040f422421d5450656af47f70d62004
Opcode Fuzzy Hash: 621e95c1e8588867a217cee80fc642b7ca3ac2ba02599fd8a2a5764f0ab8dff9
Instruction Fuzzy Hash: E4429F35204201AFDB25EF68CC58EAABBE5FF59314F18061EF599C72A1E731E850CB52

Function 00894873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00894908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00894927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0089494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0089495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0089497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00894A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00894A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00894A7E
IsMenu.USER32(?), ref: 00894A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00894AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00894B20
GetWindowLongW.USER32(?,000000F0), ref: 00894B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00894BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00894C82
wsprintfW.USER32 ref: 00894CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00894CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00894CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00894D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00894D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00894D5A

Strings

%d/%02d/%02d, xrefs: 00894CA8

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: fac5591cfa35e02d860d9cd9b0175a16a9a2dc1b8374225118b04bc1868ac1d1
Instruction ID: 16b06ea0a39e2583efc46c3c182997a1da7e3fcbf883a6743c7f9008560b14ff
Opcode Fuzzy Hash: fac5591cfa35e02d860d9cd9b0175a16a9a2dc1b8374225118b04bc1868ac1d1
Instruction Fuzzy Hash: 2812EE71600218AFEF25AF28CC49FAE7BE8FF45314F185129F516EA2E1DB749942CB50

Function 0081F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0081F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085F474
IsIconic.USER32(00000000), ref: 0085F47D
ShowWindow.USER32(00000000,00000009), ref: 0085F48A
SetForegroundWindow.USER32(00000000), ref: 0085F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0085F4AA
GetCurrentThreadId.KERNEL32 ref: 0085F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0085F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0085F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0085F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0085F4DE
SetForegroundWindow.USER32(00000000), ref: 0085F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F4F6
keybd_event.USER32(00000012,00000000), ref: 0085F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F50B
keybd_event.USER32(00000012,00000000), ref: 0085F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F519
keybd_event.USER32(00000012,00000000), ref: 0085F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F528
keybd_event.USER32(00000012,00000000), ref: 0085F52D
SetForegroundWindow.USER32(00000000), ref: 0085F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0085F557

Strings

Shell_TrayWnd, xrefs: 0085F46F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 103f0fa4a5e4cf637bd3ea3fd194522977abf9fc27ac0430a3edf67059e447bb
Instruction ID: b88f8e8369836293d9da5d45806ea2b2605b04fc6c010d4c4076a08355d9d8ed
Opcode Fuzzy Hash: 103f0fa4a5e4cf637bd3ea3fd194522977abf9fc27ac0430a3edf67059e447bb
Instruction Fuzzy Hash: DE317071A40218BBEB217BB55C4AFBF7E6CFB44B50F14002AFB00E61D1D6B15D00AA60

Function 00861201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0086170D
Part of subcall function 008616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0086173A
Part of subcall function 008616C3: GetLastError.KERNEL32 ref: 0086174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00861286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008612A8
CloseHandle.KERNEL32(?), ref: 008612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008612D1
GetProcessWindowStation.USER32 ref: 008612EA
SetProcessWindowStation.USER32(00000000), ref: 008612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00861310

Part of subcall function 008610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008611FC), ref: 008610D4
Part of subcall function 008610BF: CloseHandle.KERNEL32(?,?,008611FC), ref: 008610E9

Strings

, xrefs: 0086125A
default, xrefs: 0086130B
winsta0, xrefs: 008612CC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 1acfce8194e503c1eccdda11c3dd936c929080abd064d97bbb46ac6178be27a4
Instruction ID: 20d807c726f754ab3af709cdc21bdc003827019392754ae8ae500f6c51e125b0
Opcode Fuzzy Hash: 1acfce8194e503c1eccdda11c3dd936c929080abd064d97bbb46ac6178be27a4
Instruction Fuzzy Hash: D0819E71900208AFDF119FA8DC49FEE7BBAFF04704F19412AF910E62A2DB758944CB25

Function 00860B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00861114
Part of subcall function 008610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861120
Part of subcall function 008610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 0086112F
Part of subcall function 008610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861136
Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00860BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00860C00
GetLengthSid.ADVAPI32(?), ref: 00860C17
GetAce.ADVAPI32(?,00000000,?), ref: 00860C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00860C6D
GetLengthSid.ADVAPI32(?), ref: 00860C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00860C8C
HeapAlloc.KERNEL32(00000000), ref: 00860C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00860CB4
CopySid.ADVAPI32(00000000), ref: 00860CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00860CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00860D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00860D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860D45
HeapFree.KERNEL32(00000000), ref: 00860D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860D55
HeapFree.KERNEL32(00000000), ref: 00860D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860D65
HeapFree.KERNEL32(00000000), ref: 00860D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00860D78
HeapFree.KERNEL32(00000000), ref: 00860D7F

Part of subcall function 00861193: GetProcessHeap.KERNEL32(00000008,00860BB1,?,00000000,?,00860BB1,?), ref: 008611A1
Part of subcall function 00861193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00860BB1,?), ref: 008611A8
Part of subcall function 00861193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00860BB1,?), ref: 008611B7

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d62433effb1e3cd9bdc2f06102b299e1ec4c6d3dd7fa41bf73ada5e3aec13518
Instruction ID: 4f21c75884f1662eec6cdec0b87f786238c84454a043411ce855ed22a990479f
Opcode Fuzzy Hash: d62433effb1e3cd9bdc2f06102b299e1ec4c6d3dd7fa41bf73ada5e3aec13518
Instruction Fuzzy Hash: 81715A7290020AAFEF10EFA4DC48BAFBBB8FF05300F194616E915E6191D776A905CF64

Function 0087EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0089CC08), ref: 0087EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0087EB37
GetClipboardData.USER32(0000000D), ref: 0087EB43
CloseClipboard.USER32 ref: 0087EB4F
GlobalLock.KERNEL32(00000000), ref: 0087EB87
CloseClipboard.USER32 ref: 0087EB91
GlobalUnlock.KERNEL32(00000000), ref: 0087EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0087EBC9
GetClipboardData.USER32(00000001), ref: 0087EBD1
GlobalLock.KERNEL32(00000000), ref: 0087EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0087EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0087EC38
GetClipboardData.USER32(0000000F), ref: 0087EC44
GlobalLock.KERNEL32(00000000), ref: 0087EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0087EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0087EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0087ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0087ECF3
CountClipboardFormats.USER32 ref: 0087ED14
CloseClipboard.USER32 ref: 0087ED59

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: d319918019aaf93f46c68259479b6f5c07b8d6bbecea400324c32835f9950f57
Instruction ID: 584cc4240ac48c75bc97515683dc6f219c7169ab2060fb24c4c4ce5acd7d4e88
Opcode Fuzzy Hash: d319918019aaf93f46c68259479b6f5c07b8d6bbecea400324c32835f9950f57
Instruction Fuzzy Hash: F661BF342042059FD311EF68DC85F2A7BA4FF88714F18859EF45AD72A6DB32D905CBA2

Function 0087698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008769BE
FindClose.KERNEL32(00000000), ref: 00876A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00876A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00876A75

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00876AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00876ADF

Strings

%4d, xrefs: 00876BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00876B32
%03d, xrefs: 00876DA2
%02d, xrefs: 00876C00, 00876C0A, 00876C5A, 00876CAA, 00876CFA, 00876D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00876B6A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: e9f85cce75af134d9433014a4055c05bc23cc539c5d258a64670b55d291dca0e
Instruction ID: 01f899b47229a9465e70ad03e6996172ef875e3ab2ae5a43bc91c12ab1417b37
Opcode Fuzzy Hash: e9f85cce75af134d9433014a4055c05bc23cc539c5d258a64670b55d291dca0e
Instruction Fuzzy Hash: 9DD12E72908340AEC754EBA4CC81EABB7ECFF88704F444919F589D6192EB74DA44CB63

Function 00879642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00879663
GetFileAttributesW.KERNEL32(?), ref: 008796A1
SetFileAttributesW.KERNEL32(?,?), ref: 008796BB
FindNextFileW.KERNEL32(00000000,?), ref: 008796D3
FindClose.KERNEL32(00000000), ref: 008796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0087974A
SetCurrentDirectoryW.KERNEL32(008C6B7C), ref: 00879768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00879772
FindClose.KERNEL32(00000000), ref: 0087977F
FindClose.KERNEL32(00000000), ref: 0087978F

Strings

*.*, xrefs: 008796F5

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 97f6999149a66f7aa26954e3f87959b7f1006e0086646ae05b6d2007d7aa216d
Instruction ID: e26f1727d1113ee532d5dc55384c92dfddf102de5e4d7384dbc3f200c1e00477
Opcode Fuzzy Hash: 97f6999149a66f7aa26954e3f87959b7f1006e0086646ae05b6d2007d7aa216d
Instruction Fuzzy Hash: AB31D3325412196BDF14EFB4EC48EDE77ACFF09360F148166F859E21A0EB35DE808A20

Function 0087979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00879819
FindClose.KERNEL32(00000000), ref: 00879824
FindFirstFileW.KERNEL32(*.*,?), ref: 00879840
SetCurrentDirectoryW.KERNEL32(?), ref: 00879890
SetCurrentDirectoryW.KERNEL32(008C6B7C), ref: 008798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008798B8
FindClose.KERNEL32(00000000), ref: 008798C5
FindClose.KERNEL32(00000000), ref: 008798D5

Part of subcall function 0086DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0086DB00

Strings

*.*, xrefs: 0087983B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 02f78ecf8d91d72c9300791b7d3e34b91198291bd2be9348986e5b6ca8995586
Instruction ID: c9ea57fd90de20aa36d714c4557ac3170f9bbf10353c9eb3438b5d16ef087184
Opcode Fuzzy Hash: 02f78ecf8d91d72c9300791b7d3e34b91198291bd2be9348986e5b6ca8995586
Instruction Fuzzy Hash: 5231A3315416196ADF10EFB4EC48EDE77BCFF06324F1481A6E898E21D4EB35DD848A61

Function 0088BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0088BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0088BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0088C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0088C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0088C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0088C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0088C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0088C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0088C382
RegCloseKey.ADVAPI32(00000000), ref: 0088C38F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 76f4afc8d27afd3cdb0f462bad237337b6384ac2f4aa8f3246316aec061b399a
Instruction ID: af881848d26e516d9987a1cd957ccc207116f09a4ea467637697ea57727a2d1f
Opcode Fuzzy Hash: 76f4afc8d27afd3cdb0f462bad237337b6384ac2f4aa8f3246316aec061b399a
Instruction Fuzzy Hash: AD024D716042009FD754DF28C895E2ABBE5FF89318F18849DF449DB2A6DB31EC46CB62

Function 00878195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00878257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00878267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00878273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00878310
SetCurrentDirectoryW.KERNEL32(?), ref: 00878324
SetCurrentDirectoryW.KERNEL32(?), ref: 00878356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0087838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00878395

Strings

*.*, xrefs: 0087839B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b4db26b6674af27a51b59523c90cada6380395e80388b71a646350d83b836d5a
Instruction ID: 4b1c08d9d7f97117a60d3819a1482d3300d11a6ced6e2e1622792a6909759033
Opcode Fuzzy Hash: b4db26b6674af27a51b59523c90cada6380395e80388b71a646350d83b836d5a
Instruction Fuzzy Hash: B5616CB25043059FDB10EF68C8849AEB3E8FF89314F04891EF999C7251DB31E945CB92

Function 0086D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

Part of subcall function 0086E199: GetFileAttributesW.KERNEL32(?,0086CF95), ref: 0086E19A

FindFirstFileW.KERNEL32(?,?), ref: 0086D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0086D1DD
MoveFileW.KERNEL32(?,?), ref: 0086D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0086D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0086D237

Part of subcall function 0086D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0086D21C,?,?), ref: 0086D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0086D253
FindClose.KERNEL32(00000000), ref: 0086D264

Strings

\*.*, xrefs: 0086D0CD, 0086D0D6, 0086D0EB

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3f9f78df43a4669556f4633f822f6b6197779dcbde995f3016d41a0bf61da60b
Instruction ID: ebd2419785aef5cff6586c502c42717395fefe43213c40d5450c9b27066eb28f
Opcode Fuzzy Hash: 3f9f78df43a4669556f4633f822f6b6197779dcbde995f3016d41a0bf61da60b
Instruction Fuzzy Hash: 5B613931D012099ACF05EBA4DD929EEB779FF55300F254165E402B7292EB31AF09CB62

Function 0087ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0087ED91
EmptyClipboard.USER32 ref: 0087ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0087EDAC
CloseClipboard.USER32 ref: 0087EEA3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 45e87235d99f52ab67207674e6946b8fcd36e4878bd630c041b6868821130c48
Instruction ID: 0d7789358ef6ffc6912ae414466614b86d8f998b65973685f21bfba5c858854d
Opcode Fuzzy Hash: 45e87235d99f52ab67207674e6946b8fcd36e4878bd630c041b6868821130c48
Instruction Fuzzy Hash: D0418035604611AFE721DF19D888B19BBE5FF48318F18C49EE419CB6A2CB76EC41CB91

Function 0086E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0086170D
Part of subcall function 008616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0086173A
Part of subcall function 008616C3: GetLastError.KERNEL32 ref: 0086174A

ExitWindowsEx.USER32(?,00000000), ref: 0086E932

Strings

, xrefs: 0086E920
, xrefs: 0086E95C
@, xrefs: 0086E925
SeShutdownPrivilege, xrefs: 0086E902

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a266fe3171461b658648bdab235942d437891742a447ad1f5394e4e4666bdb56
Instruction ID: ac15834ca35ec127470f99f04e11d643c3594ee5022af1d7a6450850d5bcf320
Opcode Fuzzy Hash: a266fe3171461b658648bdab235942d437891742a447ad1f5394e4e4666bdb56
Instruction Fuzzy Hash: 1901D676610215ABFB5466B99C8AFBB776CFF14754F1B0422F812E21D2E6A25C4085A0

Function 00881204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00881276
WSAGetLastError.WSOCK32 ref: 00881283
bind.WSOCK32(00000000,?,00000010), ref: 008812BA
WSAGetLastError.WSOCK32 ref: 008812C5
closesocket.WSOCK32(00000000), ref: 008812F4
listen.WSOCK32(00000000,00000005), ref: 00881303
WSAGetLastError.WSOCK32 ref: 0088130D
closesocket.WSOCK32(00000000), ref: 0088133C

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 926abcf1a6504d74125e2c9a06768d9dc3395af7e292ef737d5bae59a205eb4b
Instruction ID: 6b5a18c7c571bb828fc009fdb67c6e8933e07eb314b25f3927a4e373a70d36eb
Opcode Fuzzy Hash: 926abcf1a6504d74125e2c9a06768d9dc3395af7e292ef737d5bae59a205eb4b
Instruction Fuzzy Hash: 004171316001109FDB10EF68C888B69BBE5FF46318F188199D856DF2D6CB71ED82CBA1

Function 0086D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

Part of subcall function 0086E199: GetFileAttributesW.KERNEL32(?,0086CF95), ref: 0086E19A

FindFirstFileW.KERNEL32(?,?), ref: 0086D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0086D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0086D481
FindClose.KERNEL32(00000000), ref: 0086D498
FindClose.KERNEL32(00000000), ref: 0086D4A1

Strings

\*.*, xrefs: 0086D3F2

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 7fc9811891ec2939239999124fa23b85e069347779c6b10647fbee5f5344f65d
Instruction ID: ef371fc391cc56e1a5ee749458786d29855e32ea633d8113016824696267fcc8
Opcode Fuzzy Hash: 7fc9811891ec2939239999124fa23b85e069347779c6b10647fbee5f5344f65d
Instruction Fuzzy Hash: 95316D315083459BC204EF68DC919AFB7A8FE91304F454A2EF4D1D2291EB31AA098B67

Function 0083E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0083E645

Strings

1#SNAN, xrefs: 0083F844
1#QNAN, xrefs: 0083F84B
1#IND, xrefs: 0083F83D
1#INF, xrefs: 0083F852

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ce27de4e4eba6133a24b1c6175196eb8df05a0d12fadbfbc29b5a2696864ac8e
Instruction ID: 686beceb53efb13a4d3c78f2d3f61a561f2826303e12655410b3a97e3e5d6cb6
Opcode Fuzzy Hash: ce27de4e4eba6133a24b1c6175196eb8df05a0d12fadbfbc29b5a2696864ac8e
Instruction Fuzzy Hash: 7EC22A71E086298FDB25CE28DD407EAB7B5FB85305F1441EAD94DE7281E774AE818F80

Function 0087648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008764DC
CoInitialize.OLE32(00000000), ref: 00876639
CoCreateInstance.OLE32(0089FCF8,00000000,00000001,0089FB68,?), ref: 00876650
CoUninitialize.OLE32 ref: 008768D4

Strings

.lnk, xrefs: 008764BA, 00876524, 008765E0

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 73b4f3bfc89af78b3dfe7a2b0fe1b873102d47f84e862e5e9a35c9c55516300d
Instruction ID: 134dcfa0e9f99065f84fd03d9d2140a88952747ba9913d21ef05a93a04cfdf63
Opcode Fuzzy Hash: 73b4f3bfc89af78b3dfe7a2b0fe1b873102d47f84e862e5e9a35c9c55516300d
Instruction Fuzzy Hash: B8D149715086019FD304EF28C881E6BB7E8FF94704F14896DF599CB2A2EB71E905CB92

Function 008822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008822E8

Part of subcall function 0087E4EC: GetWindowRect.USER32(?,?), ref: 0087E504

GetDesktopWindow.USER32 ref: 00882312
GetWindowRect.USER32(00000000), ref: 00882319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00882355
GetCursorPos.USER32(?), ref: 00882381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008823DF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b6f1770371e08de991a8f0dfe43309d78827c13ebe70437a3f2f8ef6838d83bb
Instruction ID: d9ee9779b0a4849d4d521afedabb6632b5bacc31187ad13609e581363ca30d6b
Opcode Fuzzy Hash: b6f1770371e08de991a8f0dfe43309d78827c13ebe70437a3f2f8ef6838d83bb
Instruction Fuzzy Hash: 9031C072504315AFDB20EF58C849B5BBBA9FF88314F04091EF985D7291DB35EA09CB92

Function 00879B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00879B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00879C8B

Part of subcall function 00873874: GetInputState.USER32 ref: 008738CB
Part of subcall function 00873874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00873966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00879BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00879C75

Strings

*.*, xrefs: 00879B5D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7a8a3b02f30c80e2e894b95e9bfd6ca01c906199275f706b808db93a1bd73084
Instruction ID: 4a7401e61ada8a65dee9a6d63e58f4c40206a92feb258a96267a9eb12e97c458
Opcode Fuzzy Hash: 7a8a3b02f30c80e2e894b95e9bfd6ca01c906199275f706b808db93a1bd73084
Instruction Fuzzy Hash: 714160719002099FCF55DFA4C985AEE7BB8FF45310F148056E459E2295EB31DE84CF61

Function 0081997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00819A4E
GetSysColor.USER32(0000000F), ref: 00819B23
SetBkColor.GDI32(?,00000000), ref: 00819B36

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 65a19ffa38e755fa767c406ca18e92316610faa377d283b5273b4e0cdc9c22e5
Instruction ID: 18a9a1c448ef53062bb65152a896cdd3a9a2485c19b64d10f9fbbe091fc0b4fc
Opcode Fuzzy Hash: 65a19ffa38e755fa767c406ca18e92316610faa377d283b5273b4e0cdc9c22e5
Instruction Fuzzy Hash: BEA15070209428BEEB24AA3CAC78DFB3B9DFF46315F154219F582C65D1CA259D89C272

Function 00881806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0088304E: inet_addr.WSOCK32(?), ref: 0088307A
Part of subcall function 0088304E: _wcslen.LIBCMT ref: 0088309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0088185D
WSAGetLastError.WSOCK32 ref: 00881884
bind.WSOCK32(00000000,?,00000010), ref: 008818DB
WSAGetLastError.WSOCK32 ref: 008818E6
closesocket.WSOCK32(00000000), ref: 00881915

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 4a0a809bd0998ededee9df1843f0bb4ea965c4825c47c899ddcf615fdf6e0730
Instruction ID: e7f947592fb5f0070e0c12a96070e10750b3599033c47749e5424763892cd7d8
Opcode Fuzzy Hash: 4a0a809bd0998ededee9df1843f0bb4ea965c4825c47c899ddcf615fdf6e0730
Instruction Fuzzy Hash: C7518371A002105FDB10AF28CC86F6A77A9FB44718F588458F905DF3D3DB71AD428BA2

Function 00891C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00891CC0
IsWindowEnabled.USER32 ref: 00891CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00891CDB
IsIconic.USER32 ref: 00891CE9
IsZoomed.USER32 ref: 00891CF7

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 435ea4b1ff01736312d3c99cebcefa362a0222bff224ad69b826c4de7f18e4a7
Instruction ID: ddaba73d0a6ceae8e1d476cd8142ed484735ecb23f0109df123062870c0ffbb2
Opcode Fuzzy Hash: 435ea4b1ff01736312d3c99cebcefa362a0222bff224ad69b826c4de7f18e4a7
Instruction Fuzzy Hash: 6A21D3317442129FDF20AF1AC848B2A7BE5FF95318B1D8059E846CB351CB72DC42CB91

Function 00808060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00845DF0
VUUU, xrefs: 0080843C
VUUU, xrefs: 008083FA
ERCP, xrefs: 0080813C
VUUU, xrefs: 008083E8

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 95bc62f3580060281f09128345f675412b20366f994538af123f86bc04333123
Instruction ID: 3b3dd99da8861e26a3987a59232d8ce8d8b0a14941ef4c943b959940685adc81
Opcode Fuzzy Hash: 95bc62f3580060281f09128345f675412b20366f994538af123f86bc04333123
Instruction Fuzzy Hash: A8A27A70A0061ECBDF64CF58C8807AEB7B1FB55314F2481AAE855EB285EB709DD1CB91

Function 0086AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0086AAAC
SetKeyboardState.USER32(00000080), ref: 0086AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0086AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0086AB88

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 588cec356938de7cfd354f79f5b0db7725518352d4d6ce343e230b23fb5b4a76
Instruction ID: 9dcf8dbf4dbfa9a95d44f0c84481312140815c2d838397e5773c0b4fde7e69db
Opcode Fuzzy Hash: 588cec356938de7cfd354f79f5b0db7725518352d4d6ce343e230b23fb5b4a76
Instruction Fuzzy Hash: 5D31E930A40258AEEB39CA658C05BFE77AAFB45320F09421BE581E61D1D3758D81CB62

Function 0083BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0083BB7F

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

GetTimeZoneInformation.KERNEL32 ref: 0083BB91
WideCharToMultiByte.KERNEL32(00000000,?,008D121C,000000FF,?,0000003F,?,?), ref: 0083BC09
WideCharToMultiByte.KERNEL32(00000000,?,008D1270,000000FF,?,0000003F,?,?,?,008D121C,000000FF,?,0000003F,?,?), ref: 0083BC36

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 82f6fcd3edf4d1a3f68e90f01b9684f4c35ff6f992c57d592ea2735a673f485e
Instruction ID: e313db5c17b0f34916c66cf6e1700c06c91b3cd5aff24428f13f2b955614ac56
Opcode Fuzzy Hash: 82f6fcd3edf4d1a3f68e90f01b9684f4c35ff6f992c57d592ea2735a673f485e
Instruction Fuzzy Hash: 8E31B2B0904205EFCB11DFA9DC80929BBB8FF95720B1446ABE160D73A1D7319E41CB90

Function 0087CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0087CE89
GetLastError.KERNEL32(?,00000000), ref: 0087CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0087CEFE

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: da3c6a52b92d52a2a032a3c8e81b2a7bcb04ce65d2a391ac6c1fbf2939cdb6d6
Instruction ID: 9f6b8e5111f4480a9c4657fd66ec2d8447cc26eda142071f86c824e4cc9cafb9
Opcode Fuzzy Hash: da3c6a52b92d52a2a032a3c8e81b2a7bcb04ce65d2a391ac6c1fbf2939cdb6d6
Instruction Fuzzy Hash: F421BDB2500705ABEB20DFA5D948BA67BF8FB40318F14841EE54AD3151EB70EE448B64

Function 00868298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008682AA

Strings

(, xrefs: 008682F0
|, xrefs: 008682DA

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 24adef32047e4693e8d1e05cf00643a6fa91849be30de5598781f76bca59355b
Instruction ID: d1affc789cc6421f5b09e81682a8c8e940ee40adff9efae5861c8516cbef0a4c
Opcode Fuzzy Hash: 24adef32047e4693e8d1e05cf00643a6fa91849be30de5598781f76bca59355b
Instruction Fuzzy Hash: 20322575A00605DFCB28CF59C481A6AB7F0FF48710B16C56EE59ADB3A1EB70E981CB44

Function 00875C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00875CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00875D17
FindClose.KERNEL32(?), ref: 00875D5F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b6bb4f42b030529145e7570d554315ee33145da18d8ed5ec01ce110f13a5cf32
Instruction ID: efdf8c1a0c0654c0867f0a53b90f68acd0fc49cd5cc0154d34e7408be7f7c61a
Opcode Fuzzy Hash: b6bb4f42b030529145e7570d554315ee33145da18d8ed5ec01ce110f13a5cf32
Instruction Fuzzy Hash: 5051BA746046019FC714DF28C894A9ABBE4FF49324F14856EE95ACB3A1CB70ED40CB92

Function 00832622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0083271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00832724
UnhandledExceptionFilter.KERNEL32(?), ref: 00832731

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1ce0f3ebde2558050c99fab63e28487e46dbb554a95fdb6779385fa61dcfbb21
Instruction ID: 3c021ff568d1ec4ef0a75738594c4081cf33f7d95a83af66ddd7fd7e2613ce5e
Opcode Fuzzy Hash: 1ce0f3ebde2558050c99fab63e28487e46dbb554a95fdb6779385fa61dcfbb21
Instruction Fuzzy Hash: 5D31B574911228ABCB21DF68DC89B9DB7B8FF08310F5041EAE41CA7261E7309F818F85

Function 008751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00875238
SetErrorMode.KERNEL32(00000000), ref: 008752A1

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 63f6685ecf4888ff5cac6b9bbb711e6d5d452df52bc9c64384f97e183b67bfc7
Instruction ID: bb89905c11349c876eaa67802d4d065066564aa5e06f4f7767b823a10e6a921c
Opcode Fuzzy Hash: 63f6685ecf4888ff5cac6b9bbb711e6d5d452df52bc9c64384f97e183b67bfc7
Instruction Fuzzy Hash: F8315075A10518DFDB00DF54D884EADBBB4FF49314F088099E809EB3A6DB71E855CB51

Function 008616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0081FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00820668
Part of subcall function 0081FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00820685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0086170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0086173A
GetLastError.KERNEL32 ref: 0086174A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 8b75c6f56d43c912ecada3f1e47a3f8e45e7e35f9ce1cea056780814796b7eac
Instruction ID: 62802138ec7b6675de4dc6f7970ea56ad67835db64e11986f0347396190386ad
Opcode Fuzzy Hash: 8b75c6f56d43c912ecada3f1e47a3f8e45e7e35f9ce1cea056780814796b7eac
Instruction Fuzzy Hash: 431194B1414304AFD718AF54EC86D6AB7FDFF44754B25852EE05697242EB71BC418B20

Function 0086D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0086D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0086D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0086D650

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b682fa2acc8493f274b8b0c75dc11d89a81255b122d55a342af71a778ffc2af5
Instruction ID: f11bcf2553f23c0a3bf1d4f5624645fd8c08b5084c687c2187ff23c2a3d5c4ff
Opcode Fuzzy Hash: b682fa2acc8493f274b8b0c75dc11d89a81255b122d55a342af71a778ffc2af5
Instruction Fuzzy Hash: 96113C75E05228BBDB109F95DC45FAFBBBCFB45B50F108116F904E7290D6704A058BA1

Function 00861663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0086168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008616A1
FreeSid.ADVAPI32(?), ref: 008616B1

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3e7128029bf6c946813faaad9242501ec79b12245be98137c051caab8f310551
Instruction ID: a7da07d414d6a7fd21fc4433fe0b05f2fa5293521c51aba122777206fffe30c8
Opcode Fuzzy Hash: 3e7128029bf6c946813faaad9242501ec79b12245be98137c051caab8f310551
Instruction Fuzzy Hash: DFF04471940308FBDF00DFE0CC89AAEBBBCFB08200F444561E500E2181E331AA048A50

Function 0085D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0085D28C

Strings

X64, xrefs: 0085D2A8

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 19832a0e65cb8c5836cb0f6e0bc5ea71a6a2cf1d898858ea7884f35ae35a2985
Instruction ID: bd0ac06d9508a343db7f3ba78b81d2b403821f336ed01250883706eb99257cff
Opcode Fuzzy Hash: 19832a0e65cb8c5836cb0f6e0bc5ea71a6a2cf1d898858ea7884f35ae35a2985
Instruction Fuzzy Hash: 03D0C9B580121DEECB90DB90DC88DDDB37CFB14309F100152F506E2000D77095888F20

Function 0082CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f2aa0fe9e9059a15c8425f1af599375e69d62a3e133fc26f66cbdba368b5e429
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 54021C71E002299FDF14CFA9D9806ADFBF1FF48314F25816AD919E7384D731AA418B94

Function 008768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00876918
FindClose.KERNEL32(00000000), ref: 00876961

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0f5f8c5049dc413808173455c6e59ab398d04ba4c575f66ba586b308f9589af2
Instruction ID: a60508f264e26a83e73f7f753078cc956bfa24cce52069b43c1e846ecf2c9ce5
Opcode Fuzzy Hash: 0f5f8c5049dc413808173455c6e59ab398d04ba4c575f66ba586b308f9589af2
Instruction Fuzzy Hash: AB11D0716046019FD710DF69C884A16BBE0FF85328F04C699E569CF2A2DB30EC05CB91

Function 008737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00884891,?,?,00000035,?), ref: 008737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00884891,?,?,00000035,?), ref: 008737F4

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 722740b2644e27acaccb382b5e98dfcdd1f5d768deb1aa86e37b746d101a3684
Instruction ID: dd8cd9e687c77dd36f09abbc6bf856af361872b09cb788174330d8bf48220afd
Opcode Fuzzy Hash: 722740b2644e27acaccb382b5e98dfcdd1f5d768deb1aa86e37b746d101a3684
Instruction Fuzzy Hash: 3AF0E5B16042282AEB2027AA8C4DFEB7BAEFFC47A1F000175F509D2295D9609944C6B1

Function 0086B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0086B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0086B270

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 27e21a9d27efdbaf107d1c908c621361015e0344f4a5cf3e3d461575df146434
Instruction ID: 8b2aedcd040cdade5e5283a0df271c4758d7e04c076a8c97a427e9974c358498
Opcode Fuzzy Hash: 27e21a9d27efdbaf107d1c908c621361015e0344f4a5cf3e3d461575df146434
Instruction Fuzzy Hash: 50F01D7180428DABDB059FA4C805BAE7BB4FF04309F04801AF955E6192D37986519F94

Function 008610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008611FC), ref: 008610D4
CloseHandle.KERNEL32(?,?,008611FC), ref: 008610E9

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a22295d4a7a514f9cf86cc29764530b60a8393cf4b77924af6310bd3f0afb5ad
Instruction ID: c074f0106ccf55d0e81fe8cdd1e71f95a064e6ae8576e3ffa5beb798b5d5f41e
Opcode Fuzzy Hash: a22295d4a7a514f9cf86cc29764530b60a8393cf4b77924af6310bd3f0afb5ad
Instruction Fuzzy Hash: 9FE0BF72018610AEEB252B55FC09EB777ADFF04310F14882EF5A5C44B2DB626CE0DB50

Function 0080CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00850C40

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: c9a4a5e9926e7f30580fbdd55e64c64179c3c509790261f185c13fc57524ee8a
Instruction ID: 8fe08dab713c76f5de7f01ba4046d45e0028951cc2dc2934800c3afd61f7698d
Opcode Fuzzy Hash: c9a4a5e9926e7f30580fbdd55e64c64179c3c509790261f185c13fc57524ee8a
Instruction Fuzzy Hash: C8327A709002199BDF54DF94CC81AEDB7B5FF05308F248259E806EB292DB75AE49CB62

Function 0083676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00836766,?,?,00000008,?,?,0083FEFE,00000000), ref: 00836998

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9ef20272725ccb1ba4ff81572000064edb7b6365c891131d7e10b2a9af9af5fb
Instruction ID: 3129cfaf292cd8a17dc6eef98c13f0a170d9d4d8de728a77415133a560e28cef
Opcode Fuzzy Hash: 9ef20272725ccb1ba4ff81572000064edb7b6365c891131d7e10b2a9af9af5fb
Instruction Fuzzy Hash: E6B13C31510608AFD715CF2CC48AB657BE0FF85368F29C658E899CF2A1D735D9A1CB80

Function 0081B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0085851F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1fa14a5a3d7e47f70f95a745785b23aad4866b4a5711a732748a28da5dc3acfa
Instruction ID: 613aee88545ad06c2233233c90affc102db9ab2150d9582b963bd0b763788c96
Opcode Fuzzy Hash: 1fa14a5a3d7e47f70f95a745785b23aad4866b4a5711a732748a28da5dc3acfa
Instruction Fuzzy Hash: 4B124D75A00229DFDB14CF58C8816EEB7F9FF48710F14819AE849EB255EB309A85CF94

Function 0087EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0087EABD

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1623706e68e435f385750653efb2d66cc71cc881ae68a1b5b9b1ac4f87ed5325
Instruction ID: 7edca3f50e56218e8c7655692231890a5debdd309fb27251d0e65c306da58547
Opcode Fuzzy Hash: 1623706e68e435f385750653efb2d66cc71cc881ae68a1b5b9b1ac4f87ed5325
Instruction Fuzzy Hash: ABE01A312002149FD710EF59D804E9AF7E9FFA8764F00845AFC49C72A1DAB0E8408B91

Function 008209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008203EE), ref: 008209DA

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72f2f024fc57364b3d8e3aa80dbb46c941a7864329444faa6013a7dbfec51bf3
Instruction ID: e1fa39588e1e3347f5ed8d0e1487884ade553280bafc22b6ab96953bc72e71dd
Opcode Fuzzy Hash: 72f2f024fc57364b3d8e3aa80dbb46c941a7864329444faa6013a7dbfec51bf3
Instruction Fuzzy Hash:

Function 0082781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0082798B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: edeef3a6df98354cf6398ee62cb59c2d837931699ab6cc4e94fd2372fa56d3bf
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 8D51687160C779ABDF38852FB85E7BE2B85FB12304F180529D982D7282C619DEC1D35A

Function 00836DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe64c9f4154901a9869231e4e7f9695f17aa3335ed4a72449c09a87376d7af06
Instruction ID: 2be5aa7028b62ed2b9990df0df2a844ba1f484298e0fef4bd8d5087f4f46a37d
Opcode Fuzzy Hash: fe64c9f4154901a9869231e4e7f9695f17aa3335ed4a72449c09a87376d7af06
Instruction Fuzzy Hash: D3320162D29F414DE7339638C822326A649BFB73C5F15D737E81AB5DAAEB29C4834140

Function 0081CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f831e98dd76cbdc84b43d0b7fe64e9e87da2505132414c7899a798a54f94900
Instruction ID: 99b0ea8f014adf4e6326ce671b3f657542b712ace2015e8d9fd788824e204e7f
Opcode Fuzzy Hash: 9f831e98dd76cbdc84b43d0b7fe64e9e87da2505132414c7899a798a54f94900
Instruction Fuzzy Hash: 2132F431A003198FCF24CE69C4946BD7BA5FF85316F28856ADC4ADB291E2349D89DF81

Function 00807920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c37e922b88c7ad7f7ca2434a4441619a359c3aeb8db572d712aafa898c2771
Instruction ID: 75eb1b25eadff4600adc9687aaae64e109a22568677e8fd50e535c8b03938a65
Opcode Fuzzy Hash: a9c37e922b88c7ad7f7ca2434a4441619a359c3aeb8db572d712aafa898c2771
Instruction Fuzzy Hash: B722BFB0E04609DFDF14CF68D881AAEB7B5FF44314F144629E812EB292EB36AD51CB51

Function 008091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7eba1f62a54b4f67641d0a7b4c002bd0baecd17cf977463c41ac817e57faa2a
Instruction ID: 258cb85d8c72eb4206dfaa907432aa3516fc5c227726a5e7a9b5d9619d693f2b
Opcode Fuzzy Hash: a7eba1f62a54b4f67641d0a7b4c002bd0baecd17cf977463c41ac817e57faa2a
Instruction Fuzzy Hash: 7002C6B0E00219EFDB04DF68D881AAEB7B5FF54304F118169E856DB3D1EB31AA51CB81

Function 00839EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce09e9ffcee83886b5096b0d671f476b094aa1d41e17651a698c29029bdaff1f
Instruction ID: 86cd61484df1f2c904e3e7c396a8ca7c50867afb98fcbe871cf1d85b779af105
Opcode Fuzzy Hash: ce09e9ffcee83886b5096b0d671f476b094aa1d41e17651a698c29029bdaff1f
Instruction Fuzzy Hash: 56B1DF20D2AF414DE62396399831336F65CBFBB6D5F91D71BFC6674E22EB2286834140

Function 00821C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: d8a11d8c7833d68d7b1df5f0147c65f138085518af589c30722cf97e521f7f57
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 97915A766080B34ADF294639A57C07EFFE1FA623A132A079DD4F2CA1C5EE2495D4D620

Function 00821F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 60b710e42ba0ce8eb404f3b2ead8630569d9d186b4190b6f7edda9a8af3d3c30
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0B9177732090B359DB2D4239957843EFFE1EA923A131A079DD4F2CB1D5EE24D9E4D620

Function 008219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9560c3b2c3a9317b541f1613249dfe0784b273607c787e0b561794dd0b728e29
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D79124722090B349DF69467AA57C03DFEF1EAA23B536A07AED4F3CA1C1FD1485D49620

Function 00827A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8372bc9bbc3ad6769b2c8ee0957ad05159656a7302f0ebd62936ce887d4310d2
Instruction ID: 6e6181d51891e8a5daae1b4013ba2754979215591ffa860df1e5c27c78f5e7f9
Opcode Fuzzy Hash: 8372bc9bbc3ad6769b2c8ee0957ad05159656a7302f0ebd62936ce887d4310d2
Instruction Fuzzy Hash: 5561797120873996DF389A2EBC95BBE2394FF41774F10091AE943DB281DA119EC2C756

Function 00827CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f9489d0d2f45c3309c699b13248532a825e458a37a31377a9649ba190a0c51
Instruction ID: fe9662397fcc906981d4454877d9e5a6c890648a791e954a2955dad32e6eb961
Opcode Fuzzy Hash: 90f9489d0d2f45c3309c699b13248532a825e458a37a31377a9649ba190a0c51
Instruction Fuzzy Hash: 62618D79208739A7DE384A2E7855BBF23C4FF42B04F10095AE843DB2C9DA119DC18766

Function 00821706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 31418f0b74bbe76d3ec6e327b49c6d3b2ed3d0a85fa77dcef992ddffe147e4bd
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 548153726090B34DDF694239957843EFFE1FAA23A132A07AED4F2CA1C5EE1485D4D620

Function 00872046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f507a6a61a244edfa52b0251acaf37e437bb5e82835b88a8e20c428eb640fe99
Instruction ID: f3383d6602bdb2dbc013bef91619bc20d5bbd85abebfd74b4cc0b7edcfe2e6ad
Opcode Fuzzy Hash: f507a6a61a244edfa52b0251acaf37e437bb5e82835b88a8e20c428eb640fe99
Instruction Fuzzy Hash: 7B2184326216118BDB28CE79C81267E73E5F764310F198A2EA4A7C37D0DE35E9048B50

Function 00882ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00882B30
DeleteObject.GDI32(00000000), ref: 00882B43
DestroyWindow.USER32 ref: 00882B52
GetDesktopWindow.USER32 ref: 00882B6D
GetWindowRect.USER32(00000000), ref: 00882B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00882CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00882CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882CF8
GetClientRect.USER32(00000000,?), ref: 00882D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00882D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D80
GlobalLock.KERNEL32(00000000), ref: 00882D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D98
GlobalUnlock.KERNEL32(00000000), ref: 00882DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882DA8
GlobalFree.KERNEL32(00000000), ref: 00882DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0089FC38,00000000), ref: 00882DDB
GlobalFree.KERNEL32(00000000), ref: 00882DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00882E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00882E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0088303F

Strings

DISPLAY, xrefs: 00882EA2
static, xrefs: 00882D3A, 00882E91
, xrefs: 00882FC5
AutoIt v3, xrefs: 00882CF2

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 759ff60bee86051f7b1dbc1178079d2c692e43e60a754472b71d1f03bf6a2dc0
Instruction ID: 0efeb370e7bb82030b573728859d116d13b452b1ac4da0d7d8aa1fbacda8a74c
Opcode Fuzzy Hash: 759ff60bee86051f7b1dbc1178079d2c692e43e60a754472b71d1f03bf6a2dc0
Instruction Fuzzy Hash: 87024D71500209AFDB14EFA8CC89EAE7BB9FF48714F048159F915EB2A1DB75AD01CB60

Function 008970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0089712F
GetSysColorBrush.USER32(0000000F), ref: 00897160
GetSysColor.USER32(0000000F), ref: 0089716C
SetBkColor.GDI32(?,000000FF), ref: 00897186
SelectObject.GDI32(?,?), ref: 00897195
InflateRect.USER32(?,000000FF,000000FF), ref: 008971C0
GetSysColor.USER32(00000010), ref: 008971C8
CreateSolidBrush.GDI32(00000000), ref: 008971CF
FrameRect.USER32(?,?,00000000), ref: 008971DE
DeleteObject.GDI32(00000000), ref: 008971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00897230
FillRect.USER32(?,?,?), ref: 00897262
GetWindowLongW.USER32(?,000000F0), ref: 00897284

Part of subcall function 008973E8: GetSysColor.USER32(00000012), ref: 00897421
Part of subcall function 008973E8: SetTextColor.GDI32(?,?), ref: 00897425
Part of subcall function 008973E8: GetSysColorBrush.USER32(0000000F), ref: 0089743B
Part of subcall function 008973E8: GetSysColor.USER32(0000000F), ref: 00897446
Part of subcall function 008973E8: GetSysColor.USER32(00000011), ref: 00897463
Part of subcall function 008973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00897471
Part of subcall function 008973E8: SelectObject.GDI32(?,00000000), ref: 00897482
Part of subcall function 008973E8: SetBkColor.GDI32(?,00000000), ref: 0089748B
Part of subcall function 008973E8: SelectObject.GDI32(?,?), ref: 00897498
Part of subcall function 008973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008974B7
Part of subcall function 008973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008974CE
Part of subcall function 008973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008974DB

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 38800620e10d7e7bb9ac5fc9549203007eeb98475bafc38826c4edc1654f83af
Instruction ID: 1bfacb28dee2302cc78311a13d0896dbac26f6035b612ac4e170d0c965d92e44
Opcode Fuzzy Hash: 38800620e10d7e7bb9ac5fc9549203007eeb98475bafc38826c4edc1654f83af
Instruction Fuzzy Hash: 3FA18172018301BFDB11AF64DC48E6B7BA9FF89321F180A1AF962D61E1D772E944CB51

Function 00818D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00818E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00856AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00856AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00856F43

Part of subcall function 00818F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00818BE8,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 00818FC5

SendMessageW.USER32(?,00001053), ref: 00856F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00856F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00856FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00856FB7

Strings

0, xrefs: 00856DCF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: a2605a1888d627d0d3fa63eded44afc78949b07fc1e64a96ae27e08b7d757c2d
Instruction ID: c8723828c72ea84be972382816397a97f63c68380f56675419bdb9946935aca1
Opcode Fuzzy Hash: a2605a1888d627d0d3fa63eded44afc78949b07fc1e64a96ae27e08b7d757c2d
Instruction Fuzzy Hash: C212BE30601201EFDB21DF24D859BA9BBF5FF44312F98456AF885CB261DB32ACA5CB51

Function 00882711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0088273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0088286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00882900
GetClientRect.USER32(00000000,?), ref: 0088290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00882955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00882964
GetStockObject.GDI32(00000011), ref: 00882974
SelectObject.GDI32(00000000,00000000), ref: 00882978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00882988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00882991
DeleteDC.GDI32(00000000), ref: 0088299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00882A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00882A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00882A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00882A77
GetStockObject.GDI32(00000011), ref: 00882A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00882A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00882A97

Strings

DISPLAY, xrefs: 0088295A
msctls_progress32, xrefs: 00882A13
static, xrefs: 0088294F, 00882A71
AutoIt v3, xrefs: 008828F8

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 080bdd810fac39a0f170cded34ac0f8e819665df50fad8eddeabc66952dd53d4
Instruction ID: 97f5872383f7af39ab7b7c723efed8bd6d21b8ff151984cb2b89ec4f852a61fd
Opcode Fuzzy Hash: 080bdd810fac39a0f170cded34ac0f8e819665df50fad8eddeabc66952dd53d4
Instruction Fuzzy Hash: 75B14A71A00215BFEB14EFA8CC49EAA7BA9FB08714F044255F915E72E0D774AD40CBA4

Function 00874ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00874AED
GetDriveTypeW.KERNEL32(?,0089CB68,?,\\.\,0089CC08), ref: 00874BCA
SetErrorMode.KERNEL32(00000000,0089CB68,?,\\.\,0089CC08), ref: 00874D36

Strings

\\.\, xrefs: 00874B3F
Unknown, xrefs: 00874BED, 00874C83
Fixed, xrefs: 00874C09
SATA, xrefs: 00874CD0
MMC, xrefs: 00874CDE
USB, xrefs: 00874CB4
Removable, xrefs: 00874C10, 00874C15
SAS, xrefs: 00874CC9
ATA, xrefs: 00874C98
Network, xrefs: 00874C02
Virtual, xrefs: 00874CE5
CDROM, xrefs: 00874BFB
ATAPI, xrefs: 00874C91
PhysicalDrive, xrefs: 00874B76
RAMDisk, xrefs: 00874BF4
Fibre, xrefs: 00874CAD
FileBackedVirtual, xrefs: 00874CEC
SCSI, xrefs: 00874C8A
SSA, xrefs: 00874CA6
1394, xrefs: 00874C9F
RAID, xrefs: 00874CBB
iSCSI, xrefs: 00874CC2
SSD, xrefs: 00874C4A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2891da69ddf4779c8375c5c94ae83f257cbcb666d1e66df76dd5b65e9ce76a2e
Instruction ID: be89605a120835088e555044f1552606ad58cf02edc38b85c5eaaad3c68c260a
Opcode Fuzzy Hash: 2891da69ddf4779c8375c5c94ae83f257cbcb666d1e66df76dd5b65e9ce76a2e
Instruction Fuzzy Hash: 2A61A1316051099BCB15DB58C981E6977B0FF84304B24D029F91BEB399EB3ADD519B42

Function 008973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00897421
SetTextColor.GDI32(?,?), ref: 00897425
GetSysColorBrush.USER32(0000000F), ref: 0089743B
GetSysColor.USER32(0000000F), ref: 00897446
CreateSolidBrush.GDI32(?), ref: 0089744B
GetSysColor.USER32(00000011), ref: 00897463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00897471
SelectObject.GDI32(?,00000000), ref: 00897482
SetBkColor.GDI32(?,00000000), ref: 0089748B
SelectObject.GDI32(?,?), ref: 00897498
InflateRect.USER32(?,000000FF,000000FF), ref: 008974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0089752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00897554
InflateRect.USER32(?,000000FD,000000FD), ref: 00897572
DrawFocusRect.USER32(?,?), ref: 0089757D
GetSysColor.USER32(00000011), ref: 0089758E
SetTextColor.GDI32(?,00000000), ref: 00897596
DrawTextW.USER32(?,008970F5,000000FF,?,00000000), ref: 008975A8
SelectObject.GDI32(?,?), ref: 008975BF
DeleteObject.GDI32(?), ref: 008975CA
SelectObject.GDI32(?,?), ref: 008975D0
DeleteObject.GDI32(?), ref: 008975D5
SetTextColor.GDI32(?,?), ref: 008975DB
SetBkColor.GDI32(?,?), ref: 008975E5

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 21b1429cb219dd6fba698c3f3fffa069d8815b976ee3668fe7d07667e43aa368
Instruction ID: 693ef475c6a42bb1c55d99772a4317a817d1f004815b6fcba6e6fc189e8cfc18
Opcode Fuzzy Hash: 21b1429cb219dd6fba698c3f3fffa069d8815b976ee3668fe7d07667e43aa368
Instruction Fuzzy Hash: 53613C72904218AFDF01AFA4DC49AEEBFB9FF09320F194116F915AB2A1D7759940CB90

Function 00890FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00891128
GetDesktopWindow.USER32 ref: 0089113D
GetWindowRect.USER32(00000000), ref: 00891144
GetWindowLongW.USER32(?,000000F0), ref: 00891199
DestroyWindow.USER32(?), ref: 008911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0089120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0089121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00891232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00891245
IsWindowVisible.USER32(00000000), ref: 008912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008912D0
GetWindowRect.USER32(00000000,?), ref: 008912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0089130E
GetMonitorInfoW.USER32(00000000,?), ref: 00891328
CopyRect.USER32(?,?), ref: 0089133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008913AA

Strings

0, xrefs: 008910D3
tooltips_class32, xrefs: 008911E6
(, xrefs: 0089131B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2bcb730d31e36b520ecd0db4718d810333668a19c1bb3b1725432abec43f769c
Instruction ID: d0ea2478c45570211dc91fff9dd29580110e8a7b9aa57e5328e86f5fea558c2b
Opcode Fuzzy Hash: 2bcb730d31e36b520ecd0db4718d810333668a19c1bb3b1725432abec43f769c
Instruction Fuzzy Hash: 78B16D71608341AFDB54EF64C888B5ABBE4FF84354F04891DF999DB2A1C771E844CB52

Function 00818891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00818968
GetSystemMetrics.USER32(00000007), ref: 00818970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0081899B
GetSystemMetrics.USER32(00000008), ref: 008189A3
GetSystemMetrics.USER32(00000004), ref: 008189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00818A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00818A3C
GetClientRect.USER32(00000000,000000FF), ref: 00818A5A
GetStockObject.GDI32(00000011), ref: 00818A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00818A81

Part of subcall function 0081912D: GetCursorPos.USER32(?), ref: 00819141
Part of subcall function 0081912D: ScreenToClient.USER32(00000000,?), ref: 0081915E
Part of subcall function 0081912D: GetAsyncKeyState.USER32(00000001), ref: 00819183
Part of subcall function 0081912D: GetAsyncKeyState.USER32(00000002), ref: 0081919D

SetTimer.USER32(00000000,00000000,00000028,008190FC), ref: 00818AA8

Strings

AutoIt v3 GUI, xrefs: 00818A20

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 144e58035851ce1a58e046cbb14b0139869788d0e851d425b37f812cda5d2b86
Instruction ID: 3b4307b18aca6e21786110c0c63441bab0cfce80da2ef153490823a7271daa0c
Opcode Fuzzy Hash: 144e58035851ce1a58e046cbb14b0139869788d0e851d425b37f812cda5d2b86
Instruction Fuzzy Hash: 36B15871A00209EFDF14DFA8CC59BAA7BB5FF48315F14422AFA15E7290DB34A880CB51

Function 00860D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00861114
Part of subcall function 008610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861120
Part of subcall function 008610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 0086112F
Part of subcall function 008610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861136
Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00860DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00860E29
GetLengthSid.ADVAPI32(?), ref: 00860E40
GetAce.ADVAPI32(?,00000000,?), ref: 00860E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00860E96
GetLengthSid.ADVAPI32(?), ref: 00860EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00860EB5
HeapAlloc.KERNEL32(00000000), ref: 00860EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00860EDD
CopySid.ADVAPI32(00000000), ref: 00860EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00860F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00860F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00860F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860F6E
HeapFree.KERNEL32(00000000), ref: 00860F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860F7E
HeapFree.KERNEL32(00000000), ref: 00860F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860F8E
HeapFree.KERNEL32(00000000), ref: 00860F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00860FA1
HeapFree.KERNEL32(00000000), ref: 00860FA8

Part of subcall function 00861193: GetProcessHeap.KERNEL32(00000008,00860BB1,?,00000000,?,00860BB1,?), ref: 008611A1
Part of subcall function 00861193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00860BB1,?), ref: 008611A8
Part of subcall function 00861193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00860BB1,?), ref: 008611B7

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a0d8ed07afc8ad1d1564c3d692eb22a8a74785dec7de7144761154749efa27f5
Instruction ID: 5473a9a354ecfa4d604ee2022329a7b2342259ce0056a85d89b8f097315104df
Opcode Fuzzy Hash: a0d8ed07afc8ad1d1564c3d692eb22a8a74785dec7de7144761154749efa27f5
Instruction Fuzzy Hash: 6871597290021AAFDF219FA4DC48BAFBBB8FF15300F094116F959E6191DB329A05CF64

Function 0088C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0089CC08,00000000,?,00000000,?,?), ref: 0088C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0088C5A4
_wcslen.LIBCMT ref: 0088C5F4
_wcslen.LIBCMT ref: 0088C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0088C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0088C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0088C84D
RegCloseKey.ADVAPI32(?), ref: 0088C881
RegCloseKey.ADVAPI32(00000000), ref: 0088C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0088C960

Strings

REG_DWORD, xrefs: 0088C804
REG_QWORD, xrefs: 0088C8C3
REG_MULTI_SZ, xrefs: 0088C6F5
REG_BINARY, xrefs: 0088C913
REG_SZ, xrefs: 0088C644
REG_EXPAND_SZ, xrefs: 0088C5CD

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 48c9f2688898ae172122334bc926ed4e085a037b6c94db744746c260e4c113f3
Instruction ID: ce8c25dafa511c8a141927fd0511b03a39359e0a3bb651c6b667e08a4444be5e
Opcode Fuzzy Hash: 48c9f2688898ae172122334bc926ed4e085a037b6c94db744746c260e4c113f3
Instruction Fuzzy Hash: 6C1236356042019FDB54EF18C891A2AB7E5FF88714F14885DF89ADB3A2DB31ED41CB92

Function 0089091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008909C6
_wcslen.LIBCMT ref: 00890A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00890A54
_wcslen.LIBCMT ref: 00890A8A
_wcslen.LIBCMT ref: 00890B06
_wcslen.LIBCMT ref: 00890B81

Part of subcall function 0081F9F2: _wcslen.LIBCMT ref: 0081F9FD

Part of subcall function 00862BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00862BFA

Strings

ISCHECKED, xrefs: 00890CE1
COLLAPSE, xrefs: 00890B01, 00890B1C
SELECT, xrefs: 00890D11
EXPAND, xrefs: 00890BF8
GETTOTALCOUNT, xrefs: 008909F2, 00890A17
EXISTS, xrefs: 00890B7C, 00890B97
GETITEMCOUNT, xrefs: 00890C1E
UNCHECK, xrefs: 00890D3E
GETSELECTED, xrefs: 00890C4E
CHECK, xrefs: 00890A85, 00890AA0
GETTEXT, xrefs: 00890C97

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 31ea3500dcaa3bd9c0181c644f979b8422167b7598f640892deb83309dc03812
Instruction ID: 40519726c10d0a51a22403254c0800f73cd8f5e68df5c0ee990b43e609a1e733
Opcode Fuzzy Hash: 31ea3500dcaa3bd9c0181c644f979b8422167b7598f640892deb83309dc03812
Instruction Fuzzy Hash: 44E15A316087118FCB14EF28C85096AB7E1FF98358B19495DF896DB3A2DB31ED45CB82

Function 0088C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
_wcslen.LIBCMT ref: 0088C9F1
_wcslen.LIBCMT ref: 0088CA68
_wcslen.LIBCMT ref: 0088CA9E
_wcslen.LIBCMT ref: 0088CAF9
_wcslen.LIBCMT ref: 0088CB2F
_wcslen.LIBCMT ref: 0088CB7F

Strings

HKCU, xrefs: 0088CBCE
HKEY_CLASSES_ROOT, xrefs: 0088CAF3, 0088CAF8
HKCC, xrefs: 0088CBAC
HKLM, xrefs: 0088CA98, 0088CA9D
HKEY_USERS, xrefs: 0088CBDF
HKEY_CURRENT_CONFIG, xrefs: 0088CB79, 0088CB7E
HKCR, xrefs: 0088CB29, 0088CB2E
HKEY_CURRENT_USER, xrefs: 0088CBBD
HKEY_LOCAL_MACHINE, xrefs: 0088CA62, 0088CA67
HKU, xrefs: 0088CBF0

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: d6211695ec774bf6cd3deaaff39424c5c7430a5312a903ee436c65c5ca2b283f
Instruction ID: d1d7969ba2f62216f80d46bce29facf585d0f36b240a5e661b31f06f5739686f
Opcode Fuzzy Hash: d6211695ec774bf6cd3deaaff39424c5c7430a5312a903ee436c65c5ca2b283f
Instruction Fuzzy Hash: 0071F47260052A8BCB24FE7CDD41ABA37A5FF60764F150129F866D7289E631CD8487B1

Function 0089833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0089835A
_wcslen.LIBCMT ref: 0089836E
_wcslen.LIBCMT ref: 00898391
_wcslen.LIBCMT ref: 008983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0089361A,?), ref: 0089844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00898487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00898501
FreeLibrary.KERNEL32(?), ref: 0089850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0089851D
DestroyIcon.USER32(?), ref: 0089852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00898549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00898555

Strings

.dll, xrefs: 008983AB
.icl, xrefs: 00898368
.exe, xrefs: 00898388

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 4d5dbb132795d32da71471327c9a6ce5a4c688b9fe133244ae5c904fdf646475
Instruction ID: 2141d01e28813f320948b7f6632105493c4b74771da5e0f20ceaf5a0a14dbb82
Opcode Fuzzy Hash: 4d5dbb132795d32da71471327c9a6ce5a4c688b9fe133244ae5c904fdf646475
Instruction Fuzzy Hash: 4561AE7154021AFAEF14EF68DC41BBE7BA8FF09B21F14460AF815D61D1DB75A980CBA0

Function 00807778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 008077D3
#comments-start, xrefs: 0080785F, 008078B1
#OnAutoItStartRegister, xrefs: 00807817
Bad directive syntax error, xrefs: 0084519A
", xrefs: 00845153
#cs, xrefs: 00807873, 008078C5
#comments-end, xrefs: 008078D9
Unterminated group of comments, xrefs: 0084528C
#requireadmin, xrefs: 008077FF
', xrefs: 00845169
#ce, xrefs: 008078ED
#include, xrefs: 00807847
#notrayicon, xrefs: 008077E7
#include-once, xrefs: 0080782F
Cannot parse #include, xrefs: 00845279

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 7687b7ac5f41d09dbeb32043c04e773857d7d7531756cacc7a1798ddb6898c3a
Instruction ID: 37ac5f17df21e7dee2b0b7dc1e2819e892f61cbf5fee66f725e636109cde4eec
Opcode Fuzzy Hash: 7687b7ac5f41d09dbeb32043c04e773857d7d7531756cacc7a1798ddb6898c3a
Instruction Fuzzy Hash: 3B81D371A04219BBEF60AF64DC42FAE37A8FF55340F044025F905EA2D3EB74E951C6A2

Function 00873E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00873EF8
_wcslen.LIBCMT ref: 00873F03
_wcslen.LIBCMT ref: 00873F5A
_wcslen.LIBCMT ref: 00873F98
GetDriveTypeW.KERNEL32(?), ref: 00873FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0087401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00874059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00874087

Strings

type cdaudio alias cd wait, xrefs: 00874001
set cd door , xrefs: 00874028
open , xrefs: 00873FE5
close cd wait, xrefs: 00874072
closed, xrefs: 00873F08, 00873F2D, 00873F46, 00873F7E, 00873F97
open, xrefs: 00873F54, 00873F59
wait, xrefs: 00874044
close, xrefs: 00873EFE, 00873F18

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 98335b6b2134726332104aae321af93030d433f281c751d39b350e04fec719ec
Instruction ID: c6281f06e39eeef0fc494adf442dc8a0a29acb464f6e4a9d309902cded971eae
Opcode Fuzzy Hash: 98335b6b2134726332104aae321af93030d433f281c751d39b350e04fec719ec
Instruction Fuzzy Hash: B871E1716042119FC350EF28C88096AB7F4FF94768F10892DF999D3295EB31ED49CB92

Function 00865A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00865A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00865A40
SetWindowTextW.USER32(?,?), ref: 00865A57
GetDlgItem.USER32(?,000003EA), ref: 00865A6C
SetWindowTextW.USER32(00000000,?), ref: 00865A72
GetDlgItem.USER32(?,000003E9), ref: 00865A82
SetWindowTextW.USER32(00000000,?), ref: 00865A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00865AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00865AC3
GetWindowRect.USER32(?,?), ref: 00865ACC
_wcslen.LIBCMT ref: 00865B33
SetWindowTextW.USER32(?,?), ref: 00865B6F
GetDesktopWindow.USER32 ref: 00865B75
GetWindowRect.USER32(00000000), ref: 00865B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00865BD3
GetClientRect.USER32(?,?), ref: 00865BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00865C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00865C2F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: c9134bad3299a55b6c24c011f9ea48a14b5803d126d8830eb9be52b93c1a86fe
Instruction ID: 109a23167fe3a0bc4c23524f5c6d92020c59c464533694105a4863df38c9a7e2
Opcode Fuzzy Hash: c9134bad3299a55b6c24c011f9ea48a14b5803d126d8830eb9be52b93c1a86fe
Instruction Fuzzy Hash: 5D718E31900B09AFDB20EFA8CE85BAEBBF5FF48714F154919E182E25A0D775E944CB10

Function 0087FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0087FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0087FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0087FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0087FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0087FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0087FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0087FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0087FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0087FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0087FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0087FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0087FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0087FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0087FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0087FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0087FECC
GetCursorInfo.USER32(?), ref: 0087FEDC
GetLastError.KERNEL32 ref: 0087FF1E

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6273365dfd01e9070019b40783e1ac6ef16e6b7e2667b282ef0c4ab57ffc622a
Instruction ID: 8f0340740b281c5a356536ef1011a807e8580efbdd2c90d42129aa329476728a
Opcode Fuzzy Hash: 6273365dfd01e9070019b40783e1ac6ef16e6b7e2667b282ef0c4ab57ffc622a
Instruction Fuzzy Hash: A84121B0D083196ADB109FBA8C8985EBFE8FF04754B54852AE11DE7281DF78E9018E91

Function 008200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008200C6

Part of subcall function 008200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008D070C,00000FA0,CD7874E8,?,?,?,?,008423B3,000000FF), ref: 0082011C
Part of subcall function 008200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008423B3,000000FF), ref: 00820127
Part of subcall function 008200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008423B3,000000FF), ref: 00820138
Part of subcall function 008200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0082014E
Part of subcall function 008200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0082015C
Part of subcall function 008200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0082016A
Part of subcall function 008200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00820195
Part of subcall function 008200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008201A0

___scrt_fastfail.LIBCMT ref: 008200E7

Part of subcall function 008200A3: __onexit.LIBCMT ref: 008200A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00820122
InitializeConditionVariable, xrefs: 00820148
SleepConditionVariableCS, xrefs: 00820154
WakeAllConditionVariable, xrefs: 00820162
kernel32.dll, xrefs: 00820133

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b2c200cf53b4e93f977425a033c5bd93446bde37b4c2e6e3f2b8add24f157ca1
Instruction ID: ee02a40eae320e7e21b968be53b294a62605296c7ed2d00795b99035fa57c382
Opcode Fuzzy Hash: b2c200cf53b4e93f977425a033c5bd93446bde37b4c2e6e3f2b8add24f157ca1
Instruction Fuzzy Hash: B8212632645720ABEB107B78BC06B6E37E8FB44B51F08013BF911E6393DB7598408E95

Function 008630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0086318D
_wcslen.LIBCMT ref: 008631F8

Strings

CLASSNN, xrefs: 008631F3, 00863204
REGEXPCLASS, xrefs: 00863255, 00863266
CLASS, xrefs: 00863188, 008631A5
INSTANCE, xrefs: 00863453
TEXT, xrefs: 0086347C
NAME, xrefs: 00863335, 00863346

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 95c1318ce9761581e0dcd1af4e47b3baf5eff3b144edab72af3acab7d778d937
Instruction ID: 925e5f49a8951793f61a27a468fa918f78d8a39077ba9f931010bb3df10bc510
Opcode Fuzzy Hash: 95c1318ce9761581e0dcd1af4e47b3baf5eff3b144edab72af3acab7d778d937
Instruction Fuzzy Hash: 9AE1B532A00526ABCF189FA8C851BEEFBB4FF54714F568129E556F7240DF30AE858790

Function 008744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0089CC08), ref: 00874527
_wcslen.LIBCMT ref: 0087453B
_wcslen.LIBCMT ref: 00874599
_wcslen.LIBCMT ref: 008745F4
_wcslen.LIBCMT ref: 0087463F
_wcslen.LIBCMT ref: 008746A7

Part of subcall function 0081F9F2: _wcslen.LIBCMT ref: 0081F9FD

GetDriveTypeW.KERNEL32(?,008C6BF0,00000061), ref: 00874743

Strings

unknown, xrefs: 00874708
network, xrefs: 0087469D, 008746A2
all, xrefs: 00874531, 00874536
cdrom, xrefs: 0087458F, 00874594
ramdisk, xrefs: 008746F1
removable, xrefs: 008745EA, 008745EF
fixed, xrefs: 00874635, 0087463A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e08ddfa817e035bd164039f763ce7f2ada720ed211e832c108e74b039e934be0
Instruction ID: 462459c6b0c83bacbbf12a692831951683585cc679de46cc7248dbaffae3e207
Opcode Fuzzy Hash: e08ddfa817e035bd164039f763ce7f2ada720ed211e832c108e74b039e934be0
Instruction Fuzzy Hash: A3B103316083029FC714DF28C890A6AB7E5FFA5764F50992DF5AAC7295E730DC84CB62

Function 00883FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0089CC08), ref: 008840BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008840CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0089CC08), ref: 008840F2
FreeLibrary.KERNEL32(00000000,?,0089CC08), ref: 0088413E
StringFromGUID2.OLE32(?,?,00000028,?,0089CC08), ref: 008841A8
SysFreeString.OLEAUT32(00000009), ref: 00884262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008842C8
SysFreeString.OLEAUT32(?), ref: 008842F2

Strings

GetModuleHandleExW, xrefs: 008840C7
kernel32.dll, xrefs: 008840B6

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 2d9371aeccbabd487b2ff9fa44d388e5bef1eeef8531fce3b387093cde4c62b3
Instruction ID: 2bfd558ee899ccec3dde2444af7122eb6126ad379b1da8311ee07ee09d9c0eaf
Opcode Fuzzy Hash: 2d9371aeccbabd487b2ff9fa44d388e5bef1eeef8531fce3b387093cde4c62b3
Instruction Fuzzy Hash: 1B122C76A0021AEFDB14EF94C884EAEB7B5FF45318F248099E905DB251D731ED46CBA0

Function 0080326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008D1990), ref: 00842F8D
GetMenuItemCount.USER32(008D1990), ref: 0084303D
GetCursorPos.USER32(?), ref: 00843081
SetForegroundWindow.USER32(00000000), ref: 0084308A
TrackPopupMenuEx.USER32(008D1990,00000000,?,00000000,00000000,00000000), ref: 0084309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008430A9

Strings

0, xrefs: 0080327D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 36a16d31c453c5152feed14cfcbe0a280967e6dce5506fbf6658e6b054db094c
Instruction ID: 52c28e49a0ca4663a9239b3bbb4c7c457b4cb36948e707227993e4ddf887375b
Opcode Fuzzy Hash: 36a16d31c453c5152feed14cfcbe0a280967e6dce5506fbf6658e6b054db094c
Instruction Fuzzy Hash: 47711931644209BFEB319F68CC49F9ABF68FF05328F244216F515E61E1CBB1A954C751

Function 00896CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00896DEB

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00896E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00896E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00896E94
DestroyWindow.USER32(?), ref: 00896EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00800000,00000000), ref: 00896EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00896EFD
GetDesktopWindow.USER32 ref: 00896F16
GetWindowRect.USER32(00000000), ref: 00896F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00896F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00896F4D

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

Strings

tooltips_class32, xrefs: 00896E58, 00896EDD
0, xrefs: 00896D98

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b2ced47ff00f2f5499473e78945317594730004c33d748501c669991b732b23d
Instruction ID: de814fc3fae047822db391490ed192e9f792dd8befb06fb0952c9ef27fe3f63b
Opcode Fuzzy Hash: b2ced47ff00f2f5499473e78945317594730004c33d748501c669991b732b23d
Instruction Fuzzy Hash: 73716670104244AFDB21EF18DC58FBABBE9FB89304F58051EF999C7261EB71A915CB12

Function 0089911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

DragQueryPoint.SHELL32(?,?), ref: 00899147

Part of subcall function 00897674: ClientToScreen.USER32(?,?), ref: 0089769A
Part of subcall function 00897674: GetWindowRect.USER32(?,?), ref: 00897710
Part of subcall function 00897674: PtInRect.USER32(?,?,00898B89), ref: 00897720

SendMessageW.USER32(?,000000B0,?,?), ref: 008991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00899225
SendMessageW.USER32(?,000000B0,?,?), ref: 0089923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00899255
SendMessageW.USER32(?,000000B1,?,?), ref: 00899277
DragFinish.SHELL32(?), ref: 0089927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00899371

Strings

@GUI_DROPID, xrefs: 0089929E
@GUI_DRAGFILE, xrefs: 00899320
@GUI_DRAGID, xrefs: 008992E9

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: ec73f74f0af8d5bb6ff81c8e446c48e044e417af114f66b45b08c781c22d2c7f
Instruction ID: 794f3e3ad6d09faff25b5ad4586b736b80da2d2706af1fa0ce9e6f884312e2c2
Opcode Fuzzy Hash: ec73f74f0af8d5bb6ff81c8e446c48e044e417af114f66b45b08c781c22d2c7f
Instruction Fuzzy Hash: 79617B71108301AFD741EF98DC85DABBBE8FF85350F440A2EF595922A1DB309A48CB52

Function 0087C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0087C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0087C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0087C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0087C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0087C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0087C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0087C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0087C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0087C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0087C5F0
InternetCloseHandle.WININET(00000000), ref: 0087C5FB

Strings

, xrefs: 0087C575

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 030c2fa9740c24a4b6d3593bd4074954991f0382c3f6c32aab284c139264995d
Instruction ID: 5e1059ffb22c01fb929398ffbee3af20cea8d453ab6fa2dcbb01c60d3c78caab
Opcode Fuzzy Hash: 030c2fa9740c24a4b6d3593bd4074954991f0382c3f6c32aab284c139264995d
Instruction Fuzzy Hash: 1B516CB1500608BFDB219FA4C988AAB7BBCFF08744F04851EF949D7214DB32E9449B60

Function 0089856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00898592
GetFileSize.KERNEL32(00000000,00000000), ref: 008985A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 008985AD
CloseHandle.KERNEL32(00000000), ref: 008985BA
GlobalLock.KERNEL32(00000000), ref: 008985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008985D7
GlobalUnlock.KERNEL32(00000000), ref: 008985E0
CloseHandle.KERNEL32(00000000), ref: 008985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 008985F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0089FC38,?), ref: 00898611
GlobalFree.KERNEL32(00000000), ref: 00898621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00898641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00898671
DeleteObject.GDI32(00000000), ref: 00898699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008986AF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 86bb0b89ab8ca02b95b5db45598aa7fcd946384975c541a8b8030d8bbdd77e08
Instruction ID: 84d778358dbc2d483b3f906bdcdf22be15b9e7f1d867a83db25ede633e0d3f4e
Opcode Fuzzy Hash: 86bb0b89ab8ca02b95b5db45598aa7fcd946384975c541a8b8030d8bbdd77e08
Instruction Fuzzy Hash: E8413A75600209EFDB11EFA5CC48EAA7BB8FF99715F184059F90AEB260DB319D01DB20

Function 008714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00871502
VariantCopy.OLEAUT32(?,?), ref: 0087150B
VariantClear.OLEAUT32(?), ref: 00871517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00871657
VariantInit.OLEAUT32(?), ref: 00871708
SysFreeString.OLEAUT32(?), ref: 0087178C
VariantClear.OLEAUT32(?), ref: 008717D8
VariantClear.OLEAUT32(?), ref: 008717E7
VariantInit.OLEAUT32(00000000), ref: 00871823

Strings

Default, xrefs: 008716AF
%4d%02d%02d%02d%02d%02d, xrefs: 00871625

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8b48d3c0394f9b3b2ecf769e6ec79748988b18e13069e9572bd1874e19d45054
Instruction ID: 032351a9b1d3aeaef3166506c82411b05e5c7a03b134ad18d5ccb481831cf028
Opcode Fuzzy Hash: 8b48d3c0394f9b3b2ecf769e6ec79748988b18e13069e9572bd1874e19d45054
Instruction Fuzzy Hash: B6D1E071A00109DBDF18AF68E889BB9B7B5FF44708F148056E40EEB989DB30D841DB52

Function 0088B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0088B80A
RegCloseKey.ADVAPI32(?), ref: 0088B87E
RegCloseKey.ADVAPI32(?), ref: 0088B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0088B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0088B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0088B922
FreeLibrary.KERNEL32(00000000), ref: 0088B983
RegCloseKey.ADVAPI32(00000000), ref: 0088B994

Strings

RegDeleteKeyExW, xrefs: 0088B8FE
advapi32.dll, xrefs: 0088B8ED

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5a01248e919bd9d3ebb4c22580ecfb8a70911333571bc40c2d9dd082399cb271
Instruction ID: 67b451c823f4249186405a1e417416154ccc6e8c477bb13e4e751eb94317fabd
Opcode Fuzzy Hash: 5a01248e919bd9d3ebb4c22580ecfb8a70911333571bc40c2d9dd082399cb271
Instruction Fuzzy Hash: 9EC16D30204241AFD714EF18C895F2ABBE5FF84318F18855CE59A8B3A2DB75ED45CB92

Function 0088255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008825E8
CreateCompatibleDC.GDI32(?), ref: 008825F4
SelectObject.GDI32(00000000,?), ref: 00882601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0088266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008826D0
SelectObject.GDI32(?,?), ref: 008826D8
DeleteObject.GDI32(?), ref: 008826E1
DeleteDC.GDI32(?), ref: 008826E8
ReleaseDC.USER32(00000000,?), ref: 008826F3

Strings

(, xrefs: 0088268D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: fd2498ce840fed79a62620a6d80418f8569e2028d60aed0c7624c6e604560a4d
Instruction ID: ff96da17be8633ecac368d169e118a7abdc7810cbd87dbf08c51c08b23886f2d
Opcode Fuzzy Hash: fd2498ce840fed79a62620a6d80418f8569e2028d60aed0c7624c6e604560a4d
Instruction Fuzzy Hash: 0F610275D00219EFCF04DFA8D884AAEBBB5FF48310F24852AE955E7250E771A941CFA4

Function 0083DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0083DAA1

Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D659
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D66B
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D67D
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D68F
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6A1
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6B3
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6C5
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6D7
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6E9
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6FB
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D70D
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D71F
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D731

_free.LIBCMT ref: 0083DA96

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 0083DAB8
_free.LIBCMT ref: 0083DACD
_free.LIBCMT ref: 0083DAD8
_free.LIBCMT ref: 0083DAFA
_free.LIBCMT ref: 0083DB0D
_free.LIBCMT ref: 0083DB1B
_free.LIBCMT ref: 0083DB26
_free.LIBCMT ref: 0083DB5E
_free.LIBCMT ref: 0083DB65
_free.LIBCMT ref: 0083DB82
_free.LIBCMT ref: 0083DB9A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6779cc06841062628852ef6f57858f6b1a37cf065ed595664b48cd3d3855f048
Instruction ID: 27a6b11f451bb8797bee742b8dbd00be9e0e48a942c01041571aff32d63235c2
Opcode Fuzzy Hash: 6779cc06841062628852ef6f57858f6b1a37cf065ed595664b48cd3d3855f048
Instruction Fuzzy Hash: 253149326043159FEB22AA39F845F5ABBE9FF80320F154469F859D7191DF71EC808BA1

Function 0086365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0086369C
_wcslen.LIBCMT ref: 008636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00863797
GetClassNameW.USER32(?,?,00000400), ref: 0086380C
GetDlgCtrlID.USER32(?), ref: 0086385D
GetWindowRect.USER32(?,?), ref: 00863882
GetParent.USER32(?), ref: 008638A0
ScreenToClient.USER32(00000000), ref: 008638A7
GetClassNameW.USER32(?,?,00000100), ref: 00863921
GetWindowTextW.USER32(?,?,00000400), ref: 0086395D

Strings

%s%u, xrefs: 00863734

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 105947b2869c21a538501dafc96dfc89b44dc17c64adeb55b6e393bccd2d4744
Instruction ID: 9d4192264b17caebacc7e218fa4915fb31b1d28c9a0826e632896bd30af24772
Opcode Fuzzy Hash: 105947b2869c21a538501dafc96dfc89b44dc17c64adeb55b6e393bccd2d4744
Instruction Fuzzy Hash: 0A91C171204706AFD719DF24C885FEAFBA9FF44350F018629F99AC2190EB30EA55CB91

Function 00864954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00864994
GetWindowTextW.USER32(?,?,00000400), ref: 008649DA
_wcslen.LIBCMT ref: 008649EB
CharUpperBuffW.USER32(?,00000000), ref: 008649F7
_wcsstr.LIBVCRUNTIME ref: 00864A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00864A64
GetWindowTextW.USER32(?,?,00000400), ref: 00864A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00864AE6
GetClassNameW.USER32(?,?,00000400), ref: 00864B20
GetWindowRect.USER32(?,?), ref: 00864B8B

Strings

ThumbnailClass, xrefs: 00864A6F, 00864AF1

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: daf0bbf3c7e87736f8a0cced7e734e4a1887cd3737dac197017497c07b9101ff
Instruction ID: 8a0d7d8310b816bfb16798764ccefe87aa962b97ef45d08209e2bcaa453d8efa
Opcode Fuzzy Hash: daf0bbf3c7e87736f8a0cced7e734e4a1887cd3737dac197017497c07b9101ff
Instruction Fuzzy Hash: 6591DB31004209AFDB05DF54D881BAE7BE8FF84314F05946AFD85DA196EB30ED45CBA2

Function 0086BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(008D1990,000000FF,00000000,00000030), ref: 0086BFAC
SetMenuItemInfoW.USER32(008D1990,00000004,00000000,00000030), ref: 0086BFE1
Sleep.KERNEL32(000001F4), ref: 0086BFF3
GetMenuItemCount.USER32(?), ref: 0086C039
GetMenuItemID.USER32(?,00000000), ref: 0086C056
GetMenuItemID.USER32(?,-00000001), ref: 0086C082
GetMenuItemID.USER32(?,?), ref: 0086C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0086C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0086C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0086C145

Strings

0, xrefs: 0086BF3D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 9f63d43de07f5142514f0f987b7d96c7bcca9748e21af52bfad587820f035047
Instruction ID: c10266f42871e4dd2f392362a9c5e420a34c483e0467134b1204e1ecfe23ca39
Opcode Fuzzy Hash: 9f63d43de07f5142514f0f987b7d96c7bcca9748e21af52bfad587820f035047
Instruction Fuzzy Hash: C26180B090024AAFDF11DF68CD88ABEBBB8FB05348F064156E891E3291C735AD44CB61

Function 0088CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0088CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0088CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0088CD48

Part of subcall function 0088CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0088CCAA
Part of subcall function 0088CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0088CCBD
Part of subcall function 0088CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0088CCCF
Part of subcall function 0088CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0088CD05
Part of subcall function 0088CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0088CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0088CCF3

Strings

RegDeleteKeyExW, xrefs: 0088CCC9
advapi32.dll, xrefs: 0088CCB8

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: a27e03964fc085116183840cf0e9d0f333f9fb5d8b051885d25965b41e9036e7
Instruction ID: cdf7434531aad7afc54b7d9dc884f9cf8f2eec9b57ea624612bb260de19bdc5e
Opcode Fuzzy Hash: a27e03964fc085116183840cf0e9d0f333f9fb5d8b051885d25965b41e9036e7
Instruction Fuzzy Hash: B5318C71A01129BBDB20AB65DC88EFFBB7CFF05740F040166B906E3244DA349A45DBB0

Function 00873D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00873D40
_wcslen.LIBCMT ref: 00873D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00873D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00873DBE
RemoveDirectoryW.KERNEL32(?), ref: 00873DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00873E55
CloseHandle.KERNEL32(00000000), ref: 00873E60
CloseHandle.KERNEL32(00000000), ref: 00873E6B

Strings

\??\%s, xrefs: 00873D5B
:, xrefs: 00873D82
\, xrefs: 00873D77

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 7e67fe8118dab5eafb8c7a19926ab50c97abd71c1d2ccdcaaebe0147342fe79d
Instruction ID: f4a5a1130ac0ac9737e9a8cbe087ea6e7237b9445e52c156aa05f30c17f12391
Opcode Fuzzy Hash: 7e67fe8118dab5eafb8c7a19926ab50c97abd71c1d2ccdcaaebe0147342fe79d
Instruction Fuzzy Hash: 2031C371904219ABDB209BA4DC49FEB3BBCFF88700F1040B6F509D2164E770D7849B25

Function 0086E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0086E6B4

Part of subcall function 0081E551: timeGetTime.WINMM(?,?,0086E6D4), ref: 0081E555

Sleep.KERNEL32(0000000A), ref: 0086E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0086E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0086E727
SetActiveWindow.USER32 ref: 0086E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0086E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0086E773
Sleep.KERNEL32(000000FA), ref: 0086E77E
IsWindow.USER32 ref: 0086E78A
EndDialog.USER32(00000000), ref: 0086E79B

Strings

BUTTON, xrefs: 0086E719

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f381fa25aa7e49d5fa49b6dd9fee4e607e07a5794a1c6f9eee300d054baf313e
Instruction ID: be7a2b4f63e5e5bbf91693c193fc79bc814c7211f1b7135e42ce45b94071f2df
Opcode Fuzzy Hash: f381fa25aa7e49d5fa49b6dd9fee4e607e07a5794a1c6f9eee300d054baf313e
Instruction Fuzzy Hash: 7B218EB5201304AFEB12AFA4EC89E263B69FB74749F150526F412C22A1DB72AC04DB25

Function 0086E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0086EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0086EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0086EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0086EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0086EAA7

Strings

close PlayMe, xrefs: 0086EA6E, 0086EA9B
play PlayMe, xrefs: 0086EAA2
play PlayMe wait, xrefs: 0086EA91
open , xrefs: 0086EA0C
status PlayMe mode, xrefs: 0086EA58
alias PlayMe, xrefs: 0086EA36

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 1efced659e27eb22a0ed8fc3c145280a87b487fda84f8bc8a31ecce241ab66a0
Instruction ID: bc98eeebddf9f17df9ef17e4a38f9b36d8dfb0ab86da5cbf0f760f1347187295
Opcode Fuzzy Hash: 1efced659e27eb22a0ed8fc3c145280a87b487fda84f8bc8a31ecce241ab66a0
Instruction Fuzzy Hash: 55119135A9022979D720A7A9DD4AEFF6E7CFFD1B40F010439B411E21D1EE704918C6B1

Function 00869F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0086A012
SetKeyboardState.USER32(?), ref: 0086A07D
GetAsyncKeyState.USER32(000000A0), ref: 0086A09D
GetKeyState.USER32(000000A0), ref: 0086A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0086A0E3
GetKeyState.USER32(000000A1), ref: 0086A0F4
GetAsyncKeyState.USER32(00000011), ref: 0086A120
GetKeyState.USER32(00000011), ref: 0086A12E
GetAsyncKeyState.USER32(00000012), ref: 0086A157
GetKeyState.USER32(00000012), ref: 0086A165
GetAsyncKeyState.USER32(0000005B), ref: 0086A18E
GetKeyState.USER32(0000005B), ref: 0086A19C

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5405b47c2de83635591122fb18c7885483fcd457e40ad62a87c9c4fab1ed2d86
Instruction ID: a2c69d66cc8a35d67bfcae21a4e9fabd7116a3c2b752c5602a7586f1a93b258a
Opcode Fuzzy Hash: 5405b47c2de83635591122fb18c7885483fcd457e40ad62a87c9c4fab1ed2d86
Instruction Fuzzy Hash: E5519A2050478869FB39EB6484157EABFF5FF12340F0A4599D5C2E71C2DE64AA8CCB63

Function 00865CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00865CE2
GetWindowRect.USER32(00000000,?), ref: 00865CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00865D59
GetDlgItem.USER32(?,00000002), ref: 00865D69
GetWindowRect.USER32(00000000,?), ref: 00865D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00865DCF
GetDlgItem.USER32(?,000003E9), ref: 00865DDD
GetWindowRect.USER32(00000000,?), ref: 00865DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00865E31
GetDlgItem.USER32(?,000003EA), ref: 00865E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00865E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00865E67

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: aee5eb470addc3349e31cd167ddddf79025869cf2ad5f1dba05ac939d8ee9f2a
Instruction ID: fb4e82416321ef9660ee51c26e720ea376a1f7a8ef767cfb280978e9b11aa7cd
Opcode Fuzzy Hash: aee5eb470addc3349e31cd167ddddf79025869cf2ad5f1dba05ac939d8ee9f2a
Instruction Fuzzy Hash: DE511071B00609AFDF18DFA8DD89AAEBBB5FB48300F558129F516E7294D7719E00CB60

Function 00818BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00818F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00818BE8,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 00818FC5

DestroyWindow.USER32(?), ref: 00818C81
KillTimer.USER32(00000000,?,?,?,?,00818BBA,00000000,?), ref: 00818D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00856973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 008569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 008569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00818BBA,00000000), ref: 008569D4
DeleteObject.GDI32(00000000), ref: 008569E6

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 31a4e3609490fc0c72d8f7704c2d1b79a4d76e20d63c465b09adc6893c5f12b5
Instruction ID: 61e40edb31d935693f9dee9d88d327327dcfeda23eea4e02002f6e9d18dac12b
Opcode Fuzzy Hash: 31a4e3609490fc0c72d8f7704c2d1b79a4d76e20d63c465b09adc6893c5f12b5
Instruction Fuzzy Hash: 2961BD30502710EFCB229F18D95ABA5BBF5FF50316F94461AE442D7A60CB32A8D4CF90

Function 00819838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

GetSysColor.USER32(0000000F), ref: 00819862

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5f9f28e52310aff6cca298d8ffea0893d07b853599c1d446c5e2ddade3805be6
Instruction ID: 962ac01b70a5591d94b733506c064c4f0d3c79cf0b698f2c11a3d1cc4d1e1eaf
Opcode Fuzzy Hash: 5f9f28e52310aff6cca298d8ffea0893d07b853599c1d446c5e2ddade3805be6
Instruction Fuzzy Hash: 75417E31104644AFDB205F389C98BF93BA9FF06721F584666F9E2C71E1D7319881DB11

Function 008696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0084F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00869717
LoadStringW.USER32(00000000,?,0084F7F8,00000001), ref: 00869720

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0084F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00869742
LoadStringW.USER32(00000000,?,0084F7F8,00000001), ref: 00869745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00869866

Strings

^ ERROR, xrefs: 008697FB
Error: , xrefs: 0086981D
%s (%d) : ==> %s: %s %s, xrefs: 0086984A
Line %d:, xrefs: 008697A0
Line %d (File "%s"):, xrefs: 0086978F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 66719500067c2e923c3e5c93de7c86e9f618689edeeadfe5a2b3017a768ccb3b
Instruction ID: 3f84481b77032437d5b013b53dff020bef4d6ace1806b3a6183643ff9b59c859
Opcode Fuzzy Hash: 66719500067c2e923c3e5c93de7c86e9f618689edeeadfe5a2b3017a768ccb3b
Instruction Fuzzy Hash: F9410972900219AACB04EBE8DD86EEE777CFF54340F510165F605E21D2EA356F58CB62

Function 008606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00860804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0086082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00860837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0086083C

Strings

\IPC$, xrefs: 00860784
SOFTWARE\Classes\, xrefs: 0086070E
\CLSID, xrefs: 00860724

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f863daa5ab94d7123c0ba6b9722f909afd8931305a7ce07b0ad5b96c7c9991dd
Instruction ID: e766192cb50cfced823d018019a1e148552ac81756392e25f1c6c76cb78ce31f
Opcode Fuzzy Hash: f863daa5ab94d7123c0ba6b9722f909afd8931305a7ce07b0ad5b96c7c9991dd
Instruction Fuzzy Hash: FD410572D10229ABCF15EBA4DC95DEEB778FF04350F054169E911A32A1EB31AE44CFA1

Function 00893F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0089403B
CreateCompatibleDC.GDI32(00000000), ref: 00894042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00894055
SelectObject.GDI32(00000000,00000000), ref: 0089405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00894068
DeleteDC.GDI32(00000000), ref: 00894072
GetWindowLongW.USER32(?,000000EC), ref: 0089407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00894092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0089409E

Strings

static, xrefs: 00893FD3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c2e2a2bf57e9608c2fd6415498fa115ba8359b7aec3757560f05e6ebd07fd9dd
Instruction ID: 2c99bb34e04847f73256b691904e1c80eb54bc1458dbc432b3a0c1170d665c1d
Opcode Fuzzy Hash: c2e2a2bf57e9608c2fd6415498fa115ba8359b7aec3757560f05e6ebd07fd9dd
Instruction Fuzzy Hash: C9316E32501219BBDF22AFA8CC09FDA3B68FF0D324F190215FA55E61A0D776D821DB64

Function 00883C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00883C5C
CoInitialize.OLE32(00000000), ref: 00883C8A
CoUninitialize.OLE32 ref: 00883C94
_wcslen.LIBCMT ref: 00883D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00883DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00883ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00883F0E
CoGetObject.OLE32(?,00000000,0089FB98,?), ref: 00883F2D
SetErrorMode.KERNEL32(00000000), ref: 00883F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00883FC4
VariantClear.OLEAUT32(?), ref: 00883FD8

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 0582ef0520f5346e5f3b4b78c6a290e7073d9f87fc2db30175e554af05a91b3a
Instruction ID: e10bef801602453883773c1f85932649eb9f6f8adf4f5e5d13d8ab845641b510
Opcode Fuzzy Hash: 0582ef0520f5346e5f3b4b78c6a290e7073d9f87fc2db30175e554af05a91b3a
Instruction Fuzzy Hash: DFC125716082059FD700EF68C88492BB7E9FF89B48F14491DF98ADB251DB31EE45CB92

Function 00877A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00877AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00877B8F
SHGetDesktopFolder.SHELL32(?), ref: 00877BA3
CoCreateInstance.OLE32(0089FD08,00000000,00000001,008C6E6C,?), ref: 00877BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00877C74
CoTaskMemFree.OLE32(?,?), ref: 00877CCC
SHBrowseForFolderW.SHELL32(?), ref: 00877D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00877D7A
CoTaskMemFree.OLE32(00000000), ref: 00877D81
CoTaskMemFree.OLE32(00000000), ref: 00877DD6
CoUninitialize.OLE32 ref: 00877DDC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 70d24c6830fa28ba3e2c69cd8fd664b9480d996ae7a362d8346d8fe7cc70c11a
Instruction ID: cf237ddbd52234ae8de119e68763d0e7f5d89cb84c9a382f748d812a00e20339
Opcode Fuzzy Hash: 70d24c6830fa28ba3e2c69cd8fd664b9480d996ae7a362d8346d8fe7cc70c11a
Instruction Fuzzy Hash: 1AC12C75A04109AFCB14DFA8C884DAEBBF9FF48314B1484A9E81ADB361D731ED41CB90

Function 0089541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00895504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00895515
CharNextW.USER32(00000158), ref: 00895544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00895585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0089559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008955AC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 7e93dd8822a6a2dc3aa3bbca6081a9b4ed2a89f7f8de3764e6fb10e2a2489f29
Instruction ID: f4f4992f5a705ce1d3a4f0d9f71c769f49899b8845a97a59ba78b5a5e6a39cb3
Opcode Fuzzy Hash: 7e93dd8822a6a2dc3aa3bbca6081a9b4ed2a89f7f8de3764e6fb10e2a2489f29
Instruction Fuzzy Hash: 9061AD71900608AFDF52AF94CC849FE7BB9FF09724F18414AF925EA291D7709A80DB61

Function 0085FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0085FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0085FB08
VariantInit.OLEAUT32(?), ref: 0085FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0085FB3A
VariantCopy.OLEAUT32(?,?), ref: 0085FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0085FBA1
VariantClear.OLEAUT32(?), ref: 0085FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0085FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0085FBCC
VariantClear.OLEAUT32(?), ref: 0085FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0085FBE9

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3673c050aad7ea5ca9ad6d5be51c40df057e91fb89c4be8acb01c9c8d4bcb073
Instruction ID: d55dce378e0ac85aee8dcb28049858848f01711384b6726c04303a3a872745f2
Opcode Fuzzy Hash: 3673c050aad7ea5ca9ad6d5be51c40df057e91fb89c4be8acb01c9c8d4bcb073
Instruction Fuzzy Hash: EA415135A00219DFCF00EF68C8549ADBBB9FF08355F048065E945E7261CB31A945CFA2

Function 00869C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00869CA1
GetAsyncKeyState.USER32(000000A0), ref: 00869D22
GetKeyState.USER32(000000A0), ref: 00869D3D
GetAsyncKeyState.USER32(000000A1), ref: 00869D57
GetKeyState.USER32(000000A1), ref: 00869D6C
GetAsyncKeyState.USER32(00000011), ref: 00869D84
GetKeyState.USER32(00000011), ref: 00869D96
GetAsyncKeyState.USER32(00000012), ref: 00869DAE
GetKeyState.USER32(00000012), ref: 00869DC0
GetAsyncKeyState.USER32(0000005B), ref: 00869DD8
GetKeyState.USER32(0000005B), ref: 00869DEA

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3e67a72017c15e12cad0fbbb6a618c39a5988eba3bf1962125fcec0523312be3
Instruction ID: 02ed41e6a983e8e43a2c0357c6023496fd6a629351c6989c65ff8f4101027038
Opcode Fuzzy Hash: 3e67a72017c15e12cad0fbbb6a618c39a5988eba3bf1962125fcec0523312be3
Instruction Fuzzy Hash: AF41B7345047C96DFF319764C8043B5BEA8FF11344F09806ADAC69A5C2EBF599D8C7A2

Function 0088055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008805BC
inet_addr.WSOCK32(?), ref: 0088061C
gethostbyname.WSOCK32(?), ref: 00880628
IcmpCreateFile.IPHLPAPI ref: 00880636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008807B9
WSACleanup.WSOCK32 ref: 008807BF

Strings

Ping, xrefs: 00880676

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4ebefd0c5b23ae28da15c4747697759e6020da9d50f4d5d054ad40ac551efef1
Instruction ID: 145df43871166680f0289ca09d82e458d3068df03a4151b0d0958419a70d9ecf
Opcode Fuzzy Hash: 4ebefd0c5b23ae28da15c4747697759e6020da9d50f4d5d054ad40ac551efef1
Instruction Fuzzy Hash: 66918E356082419FD760EF19C889F1ABBE0FF44318F1485A9E469DB6A2C731ED49CF92

Function 00888CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00888CF3

Part of subcall function 00868E54: _wcslen.LIBCMT ref: 00868E77

_wcslen.LIBCMT ref: 00888D4E
_wcslen.LIBCMT ref: 00888D9C
_wcslen.LIBCMT ref: 00888DDC
_wcslen.LIBCMT ref: 00888E6E

Strings

cdecl, xrefs: 00888D48, 00888D4D
stdcall, xrefs: 00888DD6, 00888DDB
winapi, xrefs: 00888D96, 00888D9B
none, xrefs: 00888E65, 00888E6A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: eb9965c6040dbc43f0dcd909aab79eeb3544a19e9b9198b9f975739004ab02e6
Instruction ID: 6f8483cc69a837b607caf3ee14e41bd4ca6676169c253d2f49be98d7a1235177
Opcode Fuzzy Hash: eb9965c6040dbc43f0dcd909aab79eeb3544a19e9b9198b9f975739004ab02e6
Instruction Fuzzy Hash: 31518131A00116DBCB24EF6CC9409BEB7A5FF64724BA14229E966E72C5DB31DD40CB91

Function 0088372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00883774
CoUninitialize.OLE32 ref: 0088377F
CoCreateInstance.OLE32(?,00000000,00000017,0089FB78,?), ref: 008837D9
IIDFromString.OLE32(?,?), ref: 0088384C
VariantInit.OLEAUT32(?), ref: 008838E4
VariantClear.OLEAUT32(?), ref: 00883936

Strings

Failed to create object, xrefs: 008837E4, 0088389A
NULL Pointer assignment, xrefs: 0088381E
Invalid parameter, xrefs: 00883865

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f418b14c7791e36037675f468bae72a057535dda43c3a3f1eaf79383548049ab
Instruction ID: bf46520f5b95032321bb65ff2601aed9a45354c0b44d775f2bf7ec833df7f2d3
Opcode Fuzzy Hash: f418b14c7791e36037675f468bae72a057535dda43c3a3f1eaf79383548049ab
Instruction Fuzzy Hash: 99617C71608301AFD710EF58C849B6ABBE8FF49B14F144829F995DB291D770EE48CB92

Function 00873388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008733CF

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008733F0

Strings

^ ERROR , xrefs: 0087349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00873504
Incorrect parameters to object property !, xrefs: 008734AB
"%s" (%d) : ==> %s:, xrefs: 00873522
Error: , xrefs: 008734D1
Line %d (File "%s"):, xrefs: 00873443, 0087345C

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: bb835a74aa2adf825ed4439ca6ecca14a89b5048fa161380b641138b9eb1d835
Instruction ID: 09ba2dc2a4639e669dc9b494c345ca8c6c947a539948340fa8e199e75716cd35
Opcode Fuzzy Hash: bb835a74aa2adf825ed4439ca6ecca14a89b5048fa161380b641138b9eb1d835
Instruction Fuzzy Hash: A351AF71900209AADF18EBA4DD46EEEB778FF14300F108165F109F2292EB356F58DB62

Function 0086B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0086B5FC
_wcslen.LIBCMT ref: 0086B608
_wcslen.LIBCMT ref: 0086B64D
_wcslen.LIBCMT ref: 0086B68C
_wcslen.LIBCMT ref: 0086B6C7

Strings

APPEND, xrefs: 0086B6C1, 0086B6C6
EXISTS, xrefs: 0086B686, 0086B68B
KEYS, xrefs: 0086B647, 0086B64C
REMOVE, xrefs: 0086B602, 0086B607

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d73f30ce564a981fa2439c62de2e519b83354092686177a9064b332fd5400a0c
Instruction ID: 08cddf615982cb60e999a5bac452331b241ad6ea205d6df057182affb6666267
Opcode Fuzzy Hash: d73f30ce564a981fa2439c62de2e519b83354092686177a9064b332fd5400a0c
Instruction Fuzzy Hash: 6B41A332A011269BCB206F7DC9905BE77A5FBB076CB264629E561DB284F731CDC1C7A0

Function 00875393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00875416
GetLastError.KERNEL32 ref: 00875420
SetErrorMode.KERNEL32(00000000,READY), ref: 008754A7

Strings

READY, xrefs: 00875460, 00875468
NOTREADY, xrefs: 0087544B
READONLY, xrefs: 00875452
INVALID, xrefs: 00875459
UNKNOWN, xrefs: 00875444

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2cc5e6f8e4949ad89858f40613a12bc6bdfa1d81128f7f7ecb81b187b8d0ea05
Instruction ID: 3be4ff5804ebed2b6df35b22aed711dbc78b8e7ddb8c368f8eec8ccba7629c3f
Opcode Fuzzy Hash: 2cc5e6f8e4949ad89858f40613a12bc6bdfa1d81128f7f7ecb81b187b8d0ea05
Instruction Fuzzy Hash: 8231D6B5A005049FD710DF68C884FAA7BB4FF45305F14C069E50ADB296DBB1DD86CB91

Function 00893C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00893C79
SetMenu.USER32(?,00000000), ref: 00893C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00893D10
IsMenu.USER32(?), ref: 00893D24
CreatePopupMenu.USER32 ref: 00893D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00893D5B
DrawMenuBar.USER32 ref: 00893D63

Strings

0, xrefs: 00893C54
F, xrefs: 00893D4E

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 31e7e8ff9b28b249ccf9e0c3dd58e680572c2149bbadc6446071179f713a0cb4
Instruction ID: d82987c6912c6eae33361f07a9f7fd3323c33fabe59565114832bdad169d94df
Opcode Fuzzy Hash: 31e7e8ff9b28b249ccf9e0c3dd58e680572c2149bbadc6446071179f713a0cb4
Instruction Fuzzy Hash: 30415CB5A01209EFDF14EFA4D854AAA7BB5FF49354F180029F946E7360D731AA10CF94

Function 00861EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00861F64
GetDlgCtrlID.USER32 ref: 00861F6F
GetParent.USER32 ref: 00861F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00861F8E
GetDlgCtrlID.USER32(?), ref: 00861F97
GetParent.USER32(?), ref: 00861FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00861FAE

Strings

ListBox, xrefs: 00861F21
ComboBox, xrefs: 00861EEC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c849ae0f9cbf9a83cfe44c1880b6156930e6e83f2e1ab4335d4a8ac86dea04b3
Instruction ID: b108d3d49b294910b4145ccc95e5e40c1c0d71ef52483c254fceb8b89a961147
Opcode Fuzzy Hash: c849ae0f9cbf9a83cfe44c1880b6156930e6e83f2e1ab4335d4a8ac86dea04b3
Instruction Fuzzy Hash: 3621B071A00214BBCF05AFA4DC85EEEBBB9FF15310F04411AF961A72E2DB3559149B60

Function 00861FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00862043
GetDlgCtrlID.USER32 ref: 0086204E
GetParent.USER32 ref: 0086206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0086206D
GetDlgCtrlID.USER32(?), ref: 00862076
GetParent.USER32(?), ref: 0086208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0086208D

Strings

ListBox, xrefs: 00862002
ComboBox, xrefs: 00861FCD

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c07cf94ac5ce742bc194ff408f09d1e5b65c4f560a963a0d78fa68240ec8073b
Instruction ID: 283e2ada69a3a912e87a56dc40c49ed402c8f39f9f4b6314836dfede11f55153
Opcode Fuzzy Hash: c07cf94ac5ce742bc194ff408f09d1e5b65c4f560a963a0d78fa68240ec8073b
Instruction Fuzzy Hash: 4521CFB5D00618BBDF11AFA4CC85EEEBBB8FF15300F00405AF991E72A1DA799914DB61

Function 00893A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00893A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00893AA0
GetWindowLongW.USER32(?,000000F0), ref: 00893AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00893AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00893B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00893BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00893BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00893BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00893BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00893C13

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: db56c8c6e6f5640030b829e5b493836f55f3b27a34015731b8279e7d8109bd3f
Instruction ID: 66cff08b8da7b130112039fc51226da382761306c221dd161537cd14b9e6d36d
Opcode Fuzzy Hash: db56c8c6e6f5640030b829e5b493836f55f3b27a34015731b8279e7d8109bd3f
Instruction Fuzzy Hash: AE615975A00208AFDF11EFA8CC85EEE77B8FB09714F14015AFA15E7291C770AA41DB50

Function 0086B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0086B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B165
GetWindowThreadProcessId.USER32(00000000), ref: 0086B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0086B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B21D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 684e269402f564a93d13b23548d149f49f191a815bd3dcda8fff00ad4e1aa6cc
Instruction ID: f4123b4a938ef94cca7ba4a1bb5d05d415ae3b65078a51f874266553f2bae5f8
Opcode Fuzzy Hash: 684e269402f564a93d13b23548d149f49f191a815bd3dcda8fff00ad4e1aa6cc
Instruction Fuzzy Hash: CE310CB1100604BFDB21AF64DC58FAE7BA9FB21319F16811AFA01C7290C7B49E808F61

Function 00832C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00832C94

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 00832CA0
_free.LIBCMT ref: 00832CAB
_free.LIBCMT ref: 00832CB6
_free.LIBCMT ref: 00832CC1
_free.LIBCMT ref: 00832CCC
_free.LIBCMT ref: 00832CD7
_free.LIBCMT ref: 00832CE2
_free.LIBCMT ref: 00832CED
_free.LIBCMT ref: 00832CFB

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2ddcdacff297c21c0991bf2df1bc4abde4b7ce9a973aa6ddd4197811a19849b8
Instruction ID: 578eec8e57db728801001a0ce3238b61a8020137d868235cb6a4087347bd14ea
Opcode Fuzzy Hash: 2ddcdacff297c21c0991bf2df1bc4abde4b7ce9a973aa6ddd4197811a19849b8
Instruction Fuzzy Hash: E911A476100118AFCB02EF98E882EDD7FA5FF45350F4144A5FA489F222DA31EE509B91

Function 00877DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00877FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00877FC1
GetFileAttributesW.KERNEL32(?), ref: 00877FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00878005
SetCurrentDirectoryW.KERNEL32(?), ref: 00878017
SetCurrentDirectoryW.KERNEL32(?), ref: 00878060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008780B0

Strings

*.*, xrefs: 00878066

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 8195c6c8cbac6e145dc9c63e4acd26db881d3e51a57dacc5732bb67af2cbbe4e
Instruction ID: c4cb97151753ed971ee2c73eb3a6c0323cb5691073b1d86027e4caaead17ba6e
Opcode Fuzzy Hash: 8195c6c8cbac6e145dc9c63e4acd26db881d3e51a57dacc5732bb67af2cbbe4e
Instruction Fuzzy Hash: E481A0725082459BDB20EF18C8449AEB3E8FF88714F148C6EF889C7264EB75DD45CB92

Function 00805BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00805C7A

Part of subcall function 00805D0A: GetClientRect.USER32(?,?), ref: 00805D30
Part of subcall function 00805D0A: GetWindowRect.USER32(?,?), ref: 00805D71
Part of subcall function 00805D0A: ScreenToClient.USER32(?,?), ref: 00805D99

GetDC.USER32 ref: 008446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00844708
SelectObject.GDI32(00000000,00000000), ref: 00844716
SelectObject.GDI32(00000000,00000000), ref: 0084472B
ReleaseDC.USER32(?,00000000), ref: 00844733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008447C4

Strings

U, xrefs: 00844693

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2f46444dfa9aea2ca13ed0b71cf584eac0cfb8b43b66589dd084fcd0ab844d4f
Instruction ID: 65826155bfccca95a80c055a7bf3da74fc05ced8edd7585dd5a3f9f419381ac6
Opcode Fuzzy Hash: 2f46444dfa9aea2ca13ed0b71cf584eac0cfb8b43b66589dd084fcd0ab844d4f
Instruction Fuzzy Hash: AB71013140020DEFDF218F64CD84BBA7BB1FF5A324F28122AE955DA1A6C7319842DF60

Function 0087359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008735E4

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

LoadStringW.USER32(008D2390,?,00000FFF,?), ref: 0087360A

Strings

^ ERROR, xrefs: 008736C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00873724
"%s" (%d) : ==> %s:, xrefs: 00873742
Error: , xrefs: 008736EF
Line %d (File "%s"):, xrefs: 0087366B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1764b57ccce669c5034efd9d00fa618c463d6e93c2ae1a891cc0c32b8c5dc576
Instruction ID: abf7c67af052f36bbff58c618b3a0d473cd4a7dca7d1087bd11b1413a25efa1c
Opcode Fuzzy Hash: 1764b57ccce669c5034efd9d00fa618c463d6e93c2ae1a891cc0c32b8c5dc576
Instruction Fuzzy Hash: 5B516E71900209BADF18EBA4DC42EEEBB78FF14350F044125F115B22A2EB355B99DF62

Function 0087C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0087C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0087C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0087C2CA
GetLastError.KERNEL32 ref: 0087C322
SetEvent.KERNEL32(?), ref: 0087C336
InternetCloseHandle.WININET(00000000), ref: 0087C341

Strings

, xrefs: 0087C2BB

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8647243a095e568d73eaf8738ddea1a5c3bd821856aba4f90f9180b77c975bbd
Instruction ID: 9def2bcb9e9dcd44b7cf5a439fc0fbcdd8e56621eb761a03e2126e16e3350879
Opcode Fuzzy Hash: 8647243a095e568d73eaf8738ddea1a5c3bd821856aba4f90f9180b77c975bbd
Instruction Fuzzy Hash: DC3169B1600608AFD721AFA88888AAB7AFCFB49744B14851EF44AD3205DB35DD449B61

Function 0086989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00843AAF,?,?,Bad directive syntax error,0089CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008698BC
LoadStringW.USER32(00000000,?,00843AAF,?), ref: 008698C3

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00869987

Strings

., xrefs: 0086996D
Error: , xrefs: 00869955
%s (%d) : ==> %s.: %s %s, xrefs: 008698F1
Line %d:, xrefs: 00869912
Line %d (File "%s"):, xrefs: 0086992D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 3f00e634b350ae87f48d0e3c9bdf44d3e455ec3f1999ccbe284c21515f6d06c2
Instruction ID: f7703db06ddc2df83f0166c6c8854584fa06eb87e8f12038efd398a1b77b8bbb
Opcode Fuzzy Hash: 3f00e634b350ae87f48d0e3c9bdf44d3e455ec3f1999ccbe284c21515f6d06c2
Instruction Fuzzy Hash: C3218D31C0021EABCF15AF94CC46EEE7B39FF18304F04446AF515A21E2EB35A668DB12

Function 0086209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0086214D

Strings

SHELLDLL_DefView, xrefs: 008620CC
smallicons, xrefs: 00862115
details, xrefs: 008620FB
list, xrefs: 0086212F
largeicons, xrefs: 008620E1

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: df2e56132a7151b50586f0938fd6b27a36c782cf53fd9cb4e577adc0beab3445
Instruction ID: 35d18d31b9d5175eff182cf2a4f75fb38ce1805d8bdb342f1d5614a298570077
Opcode Fuzzy Hash: df2e56132a7151b50586f0938fd6b27a36c782cf53fd9cb4e577adc0beab3445
Instruction Fuzzy Hash: 8E11367628CB16BAFA026224EC07DA637ACFB16324B21005BFB05E40D1FF75BC825625

Function 00838D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095612cce7fd5acbfc83ee4f442d20e7850ef545e719e9c0fa05b774d7fa6c0d
Instruction ID: 089ec403e10b939a8d811530cdfda49905779930292bd9b5fe5861e884360306
Opcode Fuzzy Hash: 095612cce7fd5acbfc83ee4f442d20e7850ef545e719e9c0fa05b774d7fa6c0d
Instruction Fuzzy Hash: D7C1CE74904249EFCB159FA8D851BADBBB0FF89310F144199F954E7392CBB48941CFA1

Function 0083CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0083CEB7
_free.LIBCMT ref: 0083CF22
_free.LIBCMT ref: 0083CF48
_free.LIBCMT ref: 0083CF71
_free.LIBCMT ref: 0083CFA9
_free.LIBCMT ref: 0083CFDA
_free.LIBCMT ref: 0083D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0083D09C
_free.LIBCMT ref: 0083D0B5

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 859de36988c813d8e2150b22bbbcca5990a2cd2ce76e76ffe337987ca05925c4
Instruction ID: 7945275539c7a7f9525b61efe6a44fa1da27ad5009ca12e7aebd403be5002791
Opcode Fuzzy Hash: 859de36988c813d8e2150b22bbbcca5990a2cd2ce76e76ffe337987ca05925c4
Instruction Fuzzy Hash: B5614771905314AFDF25AFB8A891B697BA5FF85320F14426EF900E7242DB729D01CBD1

Function 008950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00895186
ShowWindow.USER32(?,00000000), ref: 008951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008951D1

Part of subcall function 00896FBA: DeleteObject.GDI32(00000000), ref: 00896FE6

GetWindowLongW.USER32(?,000000F0), ref: 0089520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0089521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0089524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00895287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00895296

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 93e332d395221076d1fc6d1c424c4ca1f9a3414bcee29d3f2d075c10a6b7412d
Instruction ID: 9abb3a6ef452edc06becba10be940642fea7456d199e1ee8b19efd909c86fa5a
Opcode Fuzzy Hash: 93e332d395221076d1fc6d1c424c4ca1f9a3414bcee29d3f2d075c10a6b7412d
Instruction Fuzzy Hash: 76519C30A40A08BEEF26BFA8CC4ABD83B65FF05325F1C4112F625D62E0C775A980DB41

Function 00818B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00856890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00818874,00000000,00000000,00000000,000000FF,00000000), ref: 00856901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0085691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00818874,00000000,00000000,00000000,000000FF,00000000), ref: 0085692D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7eaad53494bfa713475de0a298eedd6d6cbaff7d1baa4cab83f4f04afdf4024b
Instruction ID: 4b4b77dfe9353d0fdc19182cc092bb40521c4ca7784abb7b815763ddedea1aa2
Opcode Fuzzy Hash: 7eaad53494bfa713475de0a298eedd6d6cbaff7d1baa4cab83f4f04afdf4024b
Instruction Fuzzy Hash: 1B519AB0600209EFDB20DF24CC56BAA7BB9FF58361F144529F946D72A0EB71E990DB50

Function 0087C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0087C182
GetLastError.KERNEL32 ref: 0087C195
SetEvent.KERNEL32(?), ref: 0087C1A9

Part of subcall function 0087C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0087C272
Part of subcall function 0087C253: GetLastError.KERNEL32 ref: 0087C322
Part of subcall function 0087C253: SetEvent.KERNEL32(?), ref: 0087C336
Part of subcall function 0087C253: InternetCloseHandle.WININET(00000000), ref: 0087C341

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 1638f16c5e8f0c0bb544cca7d3e72b79aadde25772a61ea083875b0af1ee0413
Instruction ID: f9b62e26ab18d24a07ee02da8f27571a3abac4f392cd4194c2801add0de91d06
Opcode Fuzzy Hash: 1638f16c5e8f0c0bb544cca7d3e72b79aadde25772a61ea083875b0af1ee0413
Instruction Fuzzy Hash: 55318A71200605BFDB21AFE9DC44A66BBF8FF58300B54842EF95AC3615DB31E914ABA0

Function 008625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00863A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00863A57
Part of subcall function 00863A3D: GetCurrentThreadId.KERNEL32 ref: 00863A5E
Part of subcall function 00863A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008625B3), ref: 00863A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00862601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00862605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0086260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00862623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00862627

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3cced76816cb34a6685691d6b276b51bdccd601585d9d8e793963c6f3cd3d4b7
Instruction ID: 6db04ae1d115cdcc7e2eaaae560367e4cfed5e2387763b46e86568c915200b29
Opcode Fuzzy Hash: 3cced76816cb34a6685691d6b276b51bdccd601585d9d8e793963c6f3cd3d4b7
Instruction Fuzzy Hash: B101B130290624BBFB2077699C8AF593E59EF5AB52F110016F318EE0D1C9E22444DA6A

Function 00861803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00861449,?,?,00000000), ref: 0086180C
HeapAlloc.KERNEL32(00000000,?,00861449,?,?,00000000), ref: 00861813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00861449,?,?,00000000), ref: 00861828
GetCurrentProcess.KERNEL32(?,00000000,?,00861449,?,?,00000000), ref: 00861830
DuplicateHandle.KERNEL32(00000000,?,00861449,?,?,00000000), ref: 00861833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00861449,?,?,00000000), ref: 00861843
GetCurrentProcess.KERNEL32(00861449,00000000,?,00861449,?,?,00000000), ref: 0086184B
DuplicateHandle.KERNEL32(00000000,?,00861449,?,?,00000000), ref: 0086184E
CreateThread.KERNEL32(00000000,00000000,00861874,00000000,00000000,00000000), ref: 00861868

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 700a694ae6bcc04c229f7d1e48694a5d73425e120a3029017a3c8afe9d02da43
Instruction ID: 817635f20a3ae0e27f905fe9da83cf7abb913ff5778ccc887d31fece8066bf08
Opcode Fuzzy Hash: 700a694ae6bcc04c229f7d1e48694a5d73425e120a3029017a3c8afe9d02da43
Instruction Fuzzy Hash: 0501BF75240304BFE710AB65DD4DF5B7B6CFB89B11F454411FA05DB2A1C6759800CB34

Function 0088A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0086D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0086D501
Part of subcall function 0086D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0086D50F
Part of subcall function 0086D4DC: CloseHandle.KERNELBASE(00000000), ref: 0086D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0088A16D
GetLastError.KERNEL32 ref: 0088A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0088A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0088A268
GetLastError.KERNEL32(00000000), ref: 0088A273
CloseHandle.KERNEL32(00000000), ref: 0088A2C4

Strings

SeDebugPrivilege, xrefs: 0088A18F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7f73fcb437763006ab2526bbd0b2c03af47e20419e3a0372fce9ddd0b7a5ca6f
Instruction ID: 5c0a1456a306d8d6ed66a229aade52e8166c78c9765d9ffd4788a5406e6a2a39
Opcode Fuzzy Hash: 7f73fcb437763006ab2526bbd0b2c03af47e20419e3a0372fce9ddd0b7a5ca6f
Instruction Fuzzy Hash: 276159742042429FE724EF18C894F15BBA5FF44318F19849DE4668B7E2CBB6EC45CB92

Function 00893886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00893925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0089393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00893954
_wcslen.LIBCMT ref: 00893999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008939F4

Strings

SysListView32, xrefs: 008938F7

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 47f7a02c9ce652240467d7f6b7ec6410cfd3c4e8afba7f2415bafd9a921dfc52
Instruction ID: 112369888489635cf60522c3719b85e826b30b01f70603173ac0eb3a60955e46
Opcode Fuzzy Hash: 47f7a02c9ce652240467d7f6b7ec6410cfd3c4e8afba7f2415bafd9a921dfc52
Instruction Fuzzy Hash: 8841B471A00219ABEF21AF64CC49FEA7BA9FF08354F14052AF958E7281D775DD80CB90

Function 0086BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0086BCFD
IsMenu.USER32(00000000), ref: 0086BD1D
CreatePopupMenu.USER32 ref: 0086BD53
GetMenuItemCount.USER32(0163DEC8), ref: 0086BDA4
InsertMenuItemW.USER32(0163DEC8,?,00000001,00000030), ref: 0086BDCC

Strings

0, xrefs: 0086BCA8
2, xrefs: 0086BD37

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: e103ea81140151d430cc14097fa135d333f865343dc78d3181739f1c9c0878e5
Instruction ID: 2a8f30341b2a4910e02db2a548b9e37fc9d869b953e132bcaa51e4956cc5d060
Opcode Fuzzy Hash: e103ea81140151d430cc14097fa135d333f865343dc78d3181739f1c9c0878e5
Instruction Fuzzy Hash: F351BF70A00209ABDF20DFA8D884BAEBBF8FF4535CF15421AE441DF291D7719981CB62

Function 0086C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0086C913

Strings

blank, xrefs: 0086C895
warning, xrefs: 0086C8FC
stop, xrefs: 0086C8E4
info, xrefs: 0086C8B4
question, xrefs: 0086C8CC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 63e1d1580cdadc6abeea362ceff8570889fd9e8527310bd01c8d1f7984072774
Instruction ID: c31e9bd273178ddfa769d66af7d2f0feefae2eac77b5bc15c55d2fd2e0ec18a8
Opcode Fuzzy Hash: 63e1d1580cdadc6abeea362ceff8570889fd9e8527310bd01c8d1f7984072774
Instruction Fuzzy Hash: 38113D3168931ABAE704AB54AC83DBA2BACFF15358B11003FF544E6382E7749D405275

Function 0086DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0086DE42
gethostname.WSOCK32(?,00000100), ref: 0086DE5C
gethostbyname.WSOCK32(?), ref: 0086DE69
inet_ntoa.WSOCK32(?), ref: 0086DEAB
_strcat.LIBCMT ref: 0086DEB9
WSACleanup.WSOCK32 ref: 0086DEDE

Strings

0.0.0.0, xrefs: 0086DE87

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: ce9adb08038c5abec50a18b889f918d8f0b9ba5fc3cae5e2dd24e34133a972ce
Instruction ID: c031fd0ad0730fd2a66e9a8f25caedb7c67e56582058cc8e11ec0eacd5784bc8
Opcode Fuzzy Hash: ce9adb08038c5abec50a18b889f918d8f0b9ba5fc3cae5e2dd24e34133a972ce
Instruction Fuzzy Hash: E411DD71A04218AFCB207B64AC4ADDE776CFF11715F05017AF545EA091EF768AC18A61

Function 00899F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

GetSystemMetrics.USER32(0000000F), ref: 00899FC7
GetSystemMetrics.USER32(0000000F), ref: 00899FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0089A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0089A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0089A263
ShowWindow.USER32(00000003,00000000), ref: 0089A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0089A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0089A2CA

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 3abe82017bfacb2af412bbddeae22465a918e6ed91d5b3b46ad303ac581b057b
Instruction ID: fb257e68ee98c8598ac4023819624dd3e7bf4a325d8dfae2adc620862413c9c5
Opcode Fuzzy Hash: 3abe82017bfacb2af412bbddeae22465a918e6ed91d5b3b46ad303ac581b057b
Instruction Fuzzy Hash: 44B16B31600219EFDF18DFA8C9857AE7BB2FF44711F198069EC85DB295D731A940CB91

Function 0086ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0086ED2A
_wcslen.LIBCMT ref: 0086ED3B
_wcslen.LIBCMT ref: 0086ED79
_wcslen.LIBCMT ref: 0086EDAF
_wcslen.LIBCMT ref: 0086EDDF
_wcslen.LIBCMT ref: 0086EDEF
_wcslen.LIBCMT ref: 0086EE2B
_wcslen.LIBCMT ref: 0086EE5A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8c026e059709ee20ac8578d7aef2296a90aee1785184dec2c4477e3050b266c2
Instruction ID: 54dd2d2a6e23afbe6df2c52551b6c9fb8f4544db1441cba58cda15fafb79a680
Opcode Fuzzy Hash: 8c026e059709ee20ac8578d7aef2296a90aee1785184dec2c4477e3050b266c2
Instruction Fuzzy Hash: C8418365C10228B6CB11EBF8DC8A9CFB7A8FF45710F518562E518E3121FB74E295C3A6

Function 0081F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0081F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0085F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0085F454

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 283e381758c8c332a512bb0c502ec863bed347963c7a01a49e744455bd45d9a3
Instruction ID: 1a69b14d911935cb0bc696e7b9e49511a78f840a55f3974e4c67318c633dc07a
Opcode Fuzzy Hash: 283e381758c8c332a512bb0c502ec863bed347963c7a01a49e744455bd45d9a3
Instruction Fuzzy Hash: 43416C30208244BAC734BB2C98887EA7F99FF46324F58413DE747D2663C63298C5CB11

Function 00892D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00892D1B
GetDC.USER32(00000000), ref: 00892D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00892D2E
ReleaseDC.USER32(00000000,00000000), ref: 00892D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00892D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00892D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00895A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00892DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00892DE1

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 003810129dfe60ea383d1c26b52db7d0a7c783d0057ef65fa8fb3d7381b991c0
Instruction ID: 7d9dfc4aa611e95b99c0f2d675a5049682ef23fccef1736ba0a6945a4346ba5c
Opcode Fuzzy Hash: 003810129dfe60ea383d1c26b52db7d0a7c783d0057ef65fa8fb3d7381b991c0
Instruction Fuzzy Hash: F3316972201614BBEF219F548C8AFEB3BA9FB19755F084056FE08DA291C6769C50CBA4

Function 00865622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00865637
_memcmp.LIBVCRUNTIME ref: 00865659
_memcmp.LIBVCRUNTIME ref: 00865671
_memcmp.LIBVCRUNTIME ref: 00865684
_memcmp.LIBVCRUNTIME ref: 0086569E
_memcmp.LIBVCRUNTIME ref: 008656B1
_memcmp.LIBVCRUNTIME ref: 008656C9
_memcmp.LIBVCRUNTIME ref: 008656E4

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a13bb90f66eec9fcce9bccd91999b94cd093b4bf73954d12e0bce5b389338c99
Instruction ID: f27ac3313d45467e3c69597f4f4f3164245102ad03bd28854c4ce351b6569a5d
Opcode Fuzzy Hash: a13bb90f66eec9fcce9bccd91999b94cd093b4bf73954d12e0bce5b389338c99
Instruction Fuzzy Hash: AA21C961640A297BDA18A524DD86FFA335DFF30398F594020FE05DA782F728ED60C5A6

Function 00884FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0088502E, 00885383
Not an Object type, xrefs: 00885007

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 420c39c6e5416c1fb8390eb9b445e251f6043cc29a9beee41efb0a69495df0f5
Instruction ID: 18736f8b04d0049b5ed10a73665d6249598047154eaca2960aba1f0b10b41031
Opcode Fuzzy Hash: 420c39c6e5416c1fb8390eb9b445e251f6043cc29a9beee41efb0a69495df0f5
Instruction Fuzzy Hash: 6ED1B075A0060AAFDF10EFA8C885BAEB7B5FF48344F148069E915EB281E771DD45CB90

Function 00841522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 008415CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00841651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008416E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008416FB

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00841777
__freea.LIBCMT ref: 008417A2
__freea.LIBCMT ref: 008417AE

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: aadd91692584c8a73bbd55f9bf0a9259a1e4859f45aaed2bf90132d39f5cbd22
Instruction ID: 11bcec3680ca54b8c8b248df8dd9bb78a7727494a0a63b2665a0c41c32b8885c
Opcode Fuzzy Hash: aadd91692584c8a73bbd55f9bf0a9259a1e4859f45aaed2bf90132d39f5cbd22
Instruction Fuzzy Hash: E691C271F0021E9ADF208E64C889AEEBBB5FF59754F194659E805E7141EB35CC80CBA0

Function 00884523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00884648
VariantInit.OLEAUT32(?), ref: 00884749
VariantClear.OLEAUT32(?), ref: 00884753
VariantClear.OLEAUT32(?), ref: 008847B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0088472C
Null Object assignment in FOR..IN loop, xrefs: 008845D8, 00884706, 008847BE

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9fce553bf83090e4419e1032d703fd40e70aedee77779654784f6c11bad85497
Instruction ID: c2da330c5bdd0835c05017d3f7bb2abbbc39b9c19aa6fbd97d2b08500f2a1dd8
Opcode Fuzzy Hash: 9fce553bf83090e4419e1032d703fd40e70aedee77779654784f6c11bad85497
Instruction Fuzzy Hash: 8B917E72A0021AABDF20EFA4C844FAEBBB8FF46714F108559F515EB281D7709945CFA0

Function 00871187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0087125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00871284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0087135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00871430

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 29ecba558c39f65b56dd99abaa49a5c26291665dc2503d53869bcf96de5ad8a1
Instruction ID: 06ccb901f9d0c3aed5d5e3fed4c611ac29b2b09dcf1e08d35655b287abd639cc
Opcode Fuzzy Hash: 29ecba558c39f65b56dd99abaa49a5c26291665dc2503d53869bcf96de5ad8a1
Instruction Fuzzy Hash: 1991D171A00219AFDB00DF9CC888BBEB7B9FF45315F148029E904EB696D774E941CB95

Function 0081948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 76ee0df940e228ee256ff74c943289296a5f79be255f2fafe2d93874940ba7be
Instruction ID: d013e0c2b65f3eb738cbe5b04ad3fcb93c111a42f13ee693f48213564a6cb00d
Opcode Fuzzy Hash: 76ee0df940e228ee256ff74c943289296a5f79be255f2fafe2d93874940ba7be
Instruction Fuzzy Hash: BD911471D00219EFCB10CFA9C884AEEBBB9FF49320F148559E955F7251D375AA82CB60

Function 00883947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0088396B
CharUpperBuffW.USER32(?,?), ref: 00883A7A
_wcslen.LIBCMT ref: 00883A8A
VariantClear.OLEAUT32(?), ref: 00883C1F

Part of subcall function 00870CDF: VariantInit.OLEAUT32(00000000), ref: 00870D1F
Part of subcall function 00870CDF: VariantCopy.OLEAUT32(?,?), ref: 00870D28
Part of subcall function 00870CDF: VariantClear.OLEAUT32(?), ref: 00870D34

Strings

AUTOIT.ERROR, xrefs: 00883A80, 00883A85
Incorrect Parameter format, xrefs: 008839A6, 00883BA1

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 7fd7bfbed15d86730a563abb6f5117a3ab954ae9977bc646c559d11ec1640eff
Instruction ID: 2a1f97cdd4efeaa8e45038d60690934d5e8b2467c386d6fea00f555ac5b1c278
Opcode Fuzzy Hash: 7fd7bfbed15d86730a563abb6f5117a3ab954ae9977bc646c559d11ec1640eff
Instruction Fuzzy Hash: EF9113756083059FC704EF68C88096AB7E5FF89714F14882DF88ADB351DB31EA45CB92

Function 00884BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0086000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?,?,0086035E), ref: 0086002B
Part of subcall function 0086000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860046
Part of subcall function 0086000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860054
Part of subcall function 0086000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?), ref: 00860064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00884C51
_wcslen.LIBCMT ref: 00884D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00884DCF
CoTaskMemFree.OLE32(?), ref: 00884DDA

Strings

NULL Pointer assignment, xrefs: 00884E23, 00884E52

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a895925598f62dd79b19892dfcf7c00046c4ebd25d9fcce03e0276b2d50f005d
Instruction ID: ed968c7c8cfc66ea6c18c7bce62b0f8db2eae831444fee9533d4ba540e5593f5
Opcode Fuzzy Hash: a895925598f62dd79b19892dfcf7c00046c4ebd25d9fcce03e0276b2d50f005d
Instruction Fuzzy Hash: 8C91F772D0021EABDF14EFA4DC91AEEB7B9FF08314F108169E515E7291DB705A448F61

Function 008920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00892183
GetMenuItemCount.USER32(00000000), ref: 008921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008921DD
_wcslen.LIBCMT ref: 00892213
GetMenuItemID.USER32(?,?), ref: 0089224D
GetSubMenu.USER32(?,?), ref: 0089225B

Part of subcall function 00863A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00863A57
Part of subcall function 00863A3D: GetCurrentThreadId.KERNEL32 ref: 00863A5E
Part of subcall function 00863A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008625B3), ref: 00863A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008922E3

Part of subcall function 0086E97B: Sleep.KERNEL32 ref: 0086E9F3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: e73175e3f752af7ba17685a79af0dbdfd8974e3272b50a2cc39662547e8648c6
Instruction ID: 4d92fa966d654c6bc8a39711b8c553d35825c09009f76172920cc553753a4f76
Opcode Fuzzy Hash: e73175e3f752af7ba17685a79af0dbdfd8974e3272b50a2cc39662547e8648c6
Instruction Fuzzy Hash: 92717D75A00215AFCF14EFA8C845AAEB7F5FF88310F188459E916EB351DB34ED418B91

Function 00897E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(0163E260), ref: 00897F37
IsWindowEnabled.USER32(0163E260), ref: 00897F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0089801E
SendMessageW.USER32(0163E260,000000B0,?,?), ref: 00898051
IsDlgButtonChecked.USER32(?,?), ref: 00898089
GetWindowLongW.USER32(0163E260,000000EC), ref: 008980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008980C3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: d8dfc2533374672fbfef1d49be68c6b7ceae7353b592aba2db1ade029bce16ad
Instruction ID: ac1a43084f82f02fc8c35d636300eb414af27feb8d06e6adde1a14843d093b5f
Opcode Fuzzy Hash: d8dfc2533374672fbfef1d49be68c6b7ceae7353b592aba2db1ade029bce16ad
Instruction Fuzzy Hash: 37719E34608645EFEF21AF64CC94FBABBB5FF5A300F18445AE945E7261CB31A845DB20

Function 0086AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0086AEF9
GetKeyboardState.USER32(?), ref: 0086AF0E
SetKeyboardState.USER32(?), ref: 0086AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0086AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0086AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0086AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0086B020

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 46772aa6ebfdc77d957bcfd262d445d7bc8dca060d3dd798a2fa1eac60b33368
Instruction ID: 1a45f7ca0f13369298f346ddd1c0572c97435affebf1c3369f06f34e11def5d9
Opcode Fuzzy Hash: 46772aa6ebfdc77d957bcfd262d445d7bc8dca060d3dd798a2fa1eac60b33368
Instruction Fuzzy Hash: C651C4A0A047D53DFB3642348C45BBA7EE9BB06308F098489E1D5D54C3D7A9A8C4D752

Function 0086ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0086AD19
GetKeyboardState.USER32(?), ref: 0086AD2E
SetKeyboardState.USER32(?), ref: 0086AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0086ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0086ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0086AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0086AE38

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a510e0157dbdc1960cc57ff1f43958607b6c436a857a94ea6c2a5cf7768b30f5
Instruction ID: c465774dbadeeed95015bf2f9c5666a8e8384e6fd7cc08d3930bc62901b04dca
Opcode Fuzzy Hash: a510e0157dbdc1960cc57ff1f43958607b6c436a857a94ea6c2a5cf7768b30f5
Instruction Fuzzy Hash: 7351F6A16047D53DFB3B83348C95B7A7EE8FB05304F098489E1D5E68C2C295EC84DB52

Function 0083542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00843CD6,?,?,?,?,?,?,?,?,00835BA3,?,?,00843CD6,?,?), ref: 00835470
__fassign.LIBCMT ref: 008354EB
__fassign.LIBCMT ref: 00835506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00843CD6,00000005,00000000,00000000), ref: 0083552C
WriteFile.KERNEL32(?,00843CD6,00000000,00835BA3,00000000,?,?,?,?,?,?,?,?,?,00835BA3,?), ref: 0083554B
WriteFile.KERNEL32(?,?,00000001,00835BA3,00000000,?,?,?,?,?,?,?,?,?,00835BA3,?), ref: 00835584

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 85f6480d5bbf89689e68cf2fdd16f144e3844ca94a589ba05cfa7f5567e3b8cd
Instruction ID: c3c23245dc5df4f18157f56aa4ccf44873df490ac8cc342365e9b7227f9931bd
Opcode Fuzzy Hash: 85f6480d5bbf89689e68cf2fdd16f144e3844ca94a589ba05cfa7f5567e3b8cd
Instruction Fuzzy Hash: 8E51B4B1A006499FDB10CFA8D855AEEBBF9FF49300F14452AF955E7291D730AA41CBA0

Function 00822D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00822D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00822D53
_ValidateLocalCookies.LIBCMT ref: 00822DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00822E0C
_ValidateLocalCookies.LIBCMT ref: 00822E61

Strings

csm, xrefs: 00822DF6

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bc2a4bc9d79782535a748951f76bd3531c7d8250d5e6bf1205a7a971daa8c696
Instruction ID: 5d751ac84c7e3a21ee06b303162fb91c957e1d069fc9c561b5d4fb3192897462
Opcode Fuzzy Hash: bc2a4bc9d79782535a748951f76bd3531c7d8250d5e6bf1205a7a971daa8c696
Instruction Fuzzy Hash: BE41E334E0022CBBCF10DF68E844AAEBBB4FF45324F148165E814EB392D7359A81CB91

Function 008810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0088304E: inet_addr.WSOCK32(?), ref: 0088307A
Part of subcall function 0088304E: _wcslen.LIBCMT ref: 0088309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00881112
WSAGetLastError.WSOCK32 ref: 00881121
WSAGetLastError.WSOCK32 ref: 008811C9
closesocket.WSOCK32(00000000), ref: 008811F9

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: f65ef292447b5ca56599c5c0865666a5d799db97593952d32011661c7585575c
Instruction ID: d146ecc28ed8ccc679a07d3f28ba2fcefaf2e1e262a52b15193c02ad82b81cf3
Opcode Fuzzy Hash: f65ef292447b5ca56599c5c0865666a5d799db97593952d32011661c7585575c
Instruction Fuzzy Hash: 8C41D435600204AFDB10AF58CC8CBA9B7E9FF45368F148159F915EB291CB71ED42CBA1

Function 0086CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0086CF22,?), ref: 0086DDFD

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0086CF22,?), ref: 0086DE16

lstrcmpiW.KERNEL32(?,?), ref: 0086CF45
MoveFileW.KERNEL32(?,?), ref: 0086CF7F
_wcslen.LIBCMT ref: 0086D005
_wcslen.LIBCMT ref: 0086D01B
SHFileOperationW.SHELL32(?), ref: 0086D061

Strings

\*.*, xrefs: 0086CFF3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ae3d35f1d75dea3e90e17640143799b26b395aa49a0e04073981f84f91035072
Instruction ID: 24eeac3ddce2ae55ced0c895529b9b2694a897e7ea3ce00d3cd3d46e6d7d3d0f
Opcode Fuzzy Hash: ae3d35f1d75dea3e90e17640143799b26b395aa49a0e04073981f84f91035072
Instruction Fuzzy Hash: 4D4131719452189FDF12EBA4D981AEEB7B9FF08380F1100E6E545EB142EE74A688CB51

Function 00892DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00892E1C
GetWindowLongW.USER32(?,000000F0), ref: 00892E4F
GetWindowLongW.USER32(?,000000F0), ref: 00892E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00892EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00892EE0
GetWindowLongW.USER32(?,000000F0), ref: 00892EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00892F0B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5f293293884663f3da8928e27308420eec7baa2faffc106980abd68b051cfe45
Instruction ID: 779e3b29d59a75473766ddb4967e770a4ffc04e54e582855525694ed63f3ccab
Opcode Fuzzy Hash: 5f293293884663f3da8928e27308420eec7baa2faffc106980abd68b051cfe45
Instruction Fuzzy Hash: FF310035645244BFEF21EF58DCD8F693BA0FB9A710F5901A6F901CB2B2CB61A8409B51

Function 00867726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00867769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0086778F
SysAllocString.OLEAUT32(00000000), ref: 00867792
SysAllocString.OLEAUT32(?), ref: 008677B0
SysFreeString.OLEAUT32(?), ref: 008677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008677DE
SysAllocString.OLEAUT32(?), ref: 008677EC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 78816418a222f5fae73a7d9386fe1e4d3fe56d5fdc9d6f078da8389a300cb5ab
Instruction ID: 46ccbd21a3cdda8f991db5caf608c4ccab9e5fb04527d078295be41d8cca1276
Opcode Fuzzy Hash: 78816418a222f5fae73a7d9386fe1e4d3fe56d5fdc9d6f078da8389a300cb5ab
Instruction Fuzzy Hash: 9C21B076608219AFDF10EFA8CD88CBB77ACFF093687058026FA14DB151D674DC4187A4

Function 008677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00867842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00867868
SysAllocString.OLEAUT32(00000000), ref: 0086786B
SysAllocString.OLEAUT32 ref: 0086788C
SysFreeString.OLEAUT32 ref: 00867895
StringFromGUID2.OLE32(?,?,00000028), ref: 008678AF
SysAllocString.OLEAUT32(?), ref: 008678BD

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: abd990c98d738fcf01828755c76751cc9f4b6df442780b4ee45332403f2c4e77
Instruction ID: 8bf87fe0a45d0534490741b6d5bdd2f07453610202ffe476e62bab9dbcec3da1
Opcode Fuzzy Hash: abd990c98d738fcf01828755c76751cc9f4b6df442780b4ee45332403f2c4e77
Instruction Fuzzy Hash: 63217431608208AFDB10AFB8DC88DAA77ECFB097647158135F915CB2A1D670DC81CBA8

Function 008704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0087052E

Strings

nul, xrefs: 00870567

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c168ce72a4e49dfdd979ee8dc6ca5585e9d0a860010a3501de2251a3a6aeb14a
Instruction ID: 85f7ccc1ab186cc7ac3d52a768c17dea6d555902bab5740bf7247f4369f9dcc7
Opcode Fuzzy Hash: c168ce72a4e49dfdd979ee8dc6ca5585e9d0a860010a3501de2251a3a6aeb14a
Instruction Fuzzy Hash: A0218D71500305EBDB209F69DC44A9A7BB4FF54724F248A19F8A9E62E4D771D940CF20

Function 008705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00870601

Strings

nul, xrefs: 00870639

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 84725a4570459bc5907640012be77274eeb33f3eef5e9cac33c92f1674740bde
Instruction ID: b3ede07a924707891a9dad1f99db8444e04a478c39cf7c204e8ce8e7e564a834
Opcode Fuzzy Hash: 84725a4570459bc5907640012be77274eeb33f3eef5e9cac33c92f1674740bde
Instruction Fuzzy Hash: 2521D171500305DBDB209F688C14A9A77E4FFA1724F248A1AF8A5E72E4D770D860CF20

Function 008940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0080600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0080604C
Part of subcall function 0080600E: GetStockObject.GDI32(00000011), ref: 00806060
Part of subcall function 0080600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0080606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00894112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0089411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0089412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00894139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00894145

Strings

Msctls_Progress32, xrefs: 008940E3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: dfb5eda3b5bfecac42cdbdcc4d77920a39253b27903a07ed694ee946cecf27bb
Instruction ID: 8a57dd555737af9eff6d8ce9b092905dbbe131ec7d7fda3a79a7f19fc4071c45
Opcode Fuzzy Hash: dfb5eda3b5bfecac42cdbdcc4d77920a39253b27903a07ed694ee946cecf27bb
Instruction Fuzzy Hash: 1A1190B214021DBEEF119E64CC85EE77F6DFF08798F004111BA18E2190C6729C219BA4

Function 0083D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0083D7A3: _free.LIBCMT ref: 0083D7CC

_free.LIBCMT ref: 0083D82D

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 0083D838
_free.LIBCMT ref: 0083D843
_free.LIBCMT ref: 0083D897
_free.LIBCMT ref: 0083D8A2
_free.LIBCMT ref: 0083D8AD
_free.LIBCMT ref: 0083D8B8

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: f6fb5ef22450ff740fdaf9d5dd67b24056d62e1460583c5e013fbb04b4abb9f7
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 64115E71940B14AAD621BFB4EC47FCB7BDCFF80700F400825BA99E6292DA65B50586E2

Function 0086DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0086DA74
LoadStringW.USER32(00000000), ref: 0086DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0086DA91
LoadStringW.USER32(00000000), ref: 0086DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0086DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0086DAB9

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 346fb7d4776bdcb4a2b15aef0ec6860061fd0d82493cbe7fed9850edf4275744
Instruction ID: 11a8242cfc58dc2f264f99b26a84587e3927db99b7ef1a00dbd0eb1b31506165
Opcode Fuzzy Hash: 346fb7d4776bdcb4a2b15aef0ec6860061fd0d82493cbe7fed9850edf4275744
Instruction Fuzzy Hash: 6C0162F29042187FEB11EBE49D89EEB376CF708305F440496B746E2041EA759E844F74

Function 0087096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0163F3F8,0163F3F8), ref: 0087097B
EnterCriticalSection.KERNEL32(0163F3D8,00000000), ref: 0087098D
TerminateThread.KERNEL32(?,000001F6), ref: 0087099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008709A9
CloseHandle.KERNEL32(?), ref: 008709B8
InterlockedExchange.KERNEL32(0163F3F8,000001F6), ref: 008709C8
LeaveCriticalSection.KERNEL32(0163F3D8), ref: 008709CF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7e3161e66e56f729f4b53baba9b72a3cde802f27c9afb211e71d9dddb2c2f173
Instruction ID: 5287ec6a31eab4b3071e8c7815ace269f8b196dff5b56b276d8664efc9e932b9
Opcode Fuzzy Hash: 7e3161e66e56f729f4b53baba9b72a3cde802f27c9afb211e71d9dddb2c2f173
Instruction Fuzzy Hash: 17F0E131446912FFD7516FA4EE8DBD6BB35FF05702F841016F201908A5C776A465CFA0

Function 00805D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00805D30
GetWindowRect.USER32(?,?), ref: 00805D71
ScreenToClient.USER32(?,?), ref: 00805D99
GetClientRect.USER32(?,?), ref: 00805ED7
GetWindowRect.USER32(?,?), ref: 00805EF8

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a522cdf409bd0a5148da54f5f8c3e18554f29e02c301f5719e2ce9c81f54c2ac
Instruction ID: f338ffe062ce87f223ee126d5ccf7d35454251b151bb25bbbea8cb296341697d
Opcode Fuzzy Hash: a522cdf409bd0a5148da54f5f8c3e18554f29e02c301f5719e2ce9c81f54c2ac
Instruction Fuzzy Hash: 35B16B34A0064ADBDB10CFA9C8407EEBBF1FF58314F14941AE8A9D7290DB34AA51DF64

Function 008301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008300D6
__allrem.LIBCMT ref: 008300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0083010B
__allrem.LIBCMT ref: 00830122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00830140

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: ab2114224862029fa61fb409d55ff0bf6500d53c7424a9d76b41898cd708a7be
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 62812771A00B1A9BE7249F2CDC51B6A73F8FF81724F24413AF551D6682EB74D9408BD1

Function 00881D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00883149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00883195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00881DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00881DE1
WSAGetLastError.WSOCK32 ref: 00881DF2
inet_ntoa.WSOCK32(?), ref: 00881E8C
htons.WSOCK32(?), ref: 00881EDB
_strlen.LIBCMT ref: 00881F35

Part of subcall function 008639E8: _strlen.LIBCMT ref: 008639F2

Part of subcall function 00806D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0081CF58,?,?,?), ref: 00806DBA
Part of subcall function 00806D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0081CF58,?,?,?), ref: 00806DED

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 8396385892e6bd7c31431c253f76387a6328f00a6747a449e07647ba04791e65
Instruction ID: 9716dfdeef4cac96a783fae5bd83d71d0081e1ef74eadbea63779ec977f621e7
Opcode Fuzzy Hash: 8396385892e6bd7c31431c253f76387a6328f00a6747a449e07647ba04791e65
Instruction Fuzzy Hash: D3A1A031204340AFC714EB28C889E2A77A9FF84318F54895CF5569B2E2DF71ED46CB92

Function 008361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008282D9,008282D9,?,?,?,0083644F,00000001,00000001,8BE85006), ref: 00836258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0083644F,00000001,00000001,8BE85006,?,?,?), ref: 008362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008363D8
__freea.LIBCMT ref: 008363E5

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

__freea.LIBCMT ref: 008363EE
__freea.LIBCMT ref: 00836413

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 84970da3ddfd6376ede5906d9423d9f243835972376bcb4d1ca3ce3199993731
Instruction ID: 3901a67fc305c12a6f31f4856cfa66c4151b74e3c0cee7db3d1a7e8d99d2dd1b
Opcode Fuzzy Hash: 84970da3ddfd6376ede5906d9423d9f243835972376bcb4d1ca3ce3199993731
Instruction Fuzzy Hash: AF51B072A00216BBDF259F68DC81EAF77A9FB84750F158629FC05D6241EB34DC60C6E0

Function 0088BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088BD25
RegCloseKey.ADVAPI32(00000000), ref: 0088BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0088BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0088BDF3
RegCloseKey.ADVAPI32(?), ref: 0088BDFF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4e1155be939dde4cfbdf6284e9ccd076b39f08849447fdace0ad904710024ddc
Instruction ID: 54cc4ad74bda3abc1687bf68a2172469a435b74ff195d2c35bc4e8eec72c5d61
Opcode Fuzzy Hash: 4e1155be939dde4cfbdf6284e9ccd076b39f08849447fdace0ad904710024ddc
Instruction Fuzzy Hash: 28818170208241EFD714EF24C895E6ABBE5FF84308F14855DF5598B2A2DB31ED45CB92

Function 0085F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0085F7B9
SysAllocString.OLEAUT32(00000001), ref: 0085F860
VariantCopy.OLEAUT32(0085FA64,00000000), ref: 0085F889
VariantClear.OLEAUT32(0085FA64), ref: 0085F8AD
VariantCopy.OLEAUT32(0085FA64,00000000), ref: 0085F8B1
VariantClear.OLEAUT32(?), ref: 0085F8BB

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e8fe31c7abdcc3de1caaeb8a6858197310c840663f055da32cbf965da5a02f1e
Instruction ID: 64d25eb8801982a941e9ab963eec99098bf1cc872a2218d6227eeec8118fa53b
Opcode Fuzzy Hash: e8fe31c7abdcc3de1caaeb8a6858197310c840663f055da32cbf965da5a02f1e
Instruction Fuzzy Hash: 8A51B431600314ABCF20AB69D895B29B7A8FF45316F249467EE05DF297DB708C84C797

Function 0087910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008794E5
_wcslen.LIBCMT ref: 00879506
_wcslen.LIBCMT ref: 0087952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00879585

Strings

X, xrefs: 00879412

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1294c7167e105a84ac3a1390eaa59e2c2db6c0c3818859bbe26fdbf01fa585e6
Instruction ID: f68123af38646b046d9c6d758dc146355193b723b2570975122e96f4ec78ea2c
Opcode Fuzzy Hash: 1294c7167e105a84ac3a1390eaa59e2c2db6c0c3818859bbe26fdbf01fa585e6
Instruction Fuzzy Hash: 0FE18E316083108FD764EF28C881A6AB7E4FF85314F04896DE999DB3A2DB31DD45CB92

Function 0081920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

BeginPaint.USER32(?,?,?), ref: 00819241
GetWindowRect.USER32(?,?), ref: 008192A5
ScreenToClient.USER32(?,?), ref: 008192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008192D3
EndPaint.USER32(?,?,?,?,?), ref: 00819321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008571EA

Part of subcall function 00819339: BeginPath.GDI32(00000000), ref: 00819357

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b01f510591089fe727d560a999b40b4249851a29bc4a2b73854b11f30eeea15d
Instruction ID: 790b89299192bfd7bb884bd2669afe94fe9a9a40f0e30bab9302f83a71fce754
Opcode Fuzzy Hash: b01f510591089fe727d560a999b40b4249851a29bc4a2b73854b11f30eeea15d
Instruction Fuzzy Hash: 38419F30105201AFDB11DF68DCA8FAA7BACFF55325F14026AF9A5C72A1C7319885DB62

Function 008707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0087080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00870847
EnterCriticalSection.KERNEL32(?), ref: 00870863
LeaveCriticalSection.KERNEL32(?), ref: 008708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00870921

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 8abd3fe14b3cf128b815d7de6fa8db87f15f1ed8f7e188c69da605a09c7b3b29
Instruction ID: 493b6296e0e39e823a7267c98c5649e6d873d81e935fad0daf1d906e8302a42f
Opcode Fuzzy Hash: 8abd3fe14b3cf128b815d7de6fa8db87f15f1ed8f7e188c69da605a09c7b3b29
Instruction Fuzzy Hash: EE415871A00205EBDF14AF58DC85AAA77B8FF04300B1480A6E904DA29BD731DEA1DBA5

Function 008981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0085F3AB,00000000,?,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0089824C
EnableWindow.USER32(?,00000000), ref: 00898272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008982D1
ShowWindow.USER32(?,00000004), ref: 008982E5
EnableWindow.USER32(?,00000001), ref: 0089830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0089832F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 22cee8d1c4a2170d4b130c2e0ca26952115c26d7a8b179cbc2da89310a83c13c
Instruction ID: 2619c1dbc6f1abfe0b35f39db1054b345b66fe16ab86cea1cda1d38a39c1f744
Opcode Fuzzy Hash: 22cee8d1c4a2170d4b130c2e0ca26952115c26d7a8b179cbc2da89310a83c13c
Instruction Fuzzy Hash: 22417334601645FFDF15EF65C899BA47BE1FF0B714F5C426AE5088B262CB32A841CB50

Function 00864C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00864C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00864CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00864CEA
_wcslen.LIBCMT ref: 00864D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00864D10
_wcsstr.LIBVCRUNTIME ref: 00864D1A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2ea5987530b9365050007cc0df08332badb3496ecb6135023cbce50f70f5806b
Instruction ID: bb8958d0bc530fe442e6fc946c5815477a17cf0728ade4d24d2790efaebd2f58
Opcode Fuzzy Hash: 2ea5987530b9365050007cc0df08332badb3496ecb6135023cbce50f70f5806b
Instruction Fuzzy Hash: 8D212632604204BBEB566B39AC09E7F7BACFF45750F15902EF905CA192EA61CC4092A1

Function 0087581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

_wcslen.LIBCMT ref: 0087587B
CoInitialize.OLE32(00000000), ref: 00875995
CoCreateInstance.OLE32(0089FCF8,00000000,00000001,0089FB68,?), ref: 008759AE
CoUninitialize.OLE32 ref: 008759CC

Strings

.lnk, xrefs: 00875876, 008758C1, 00875985

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 77b808d751fda1fd3ac2b49f40fafd2f477bee18f3b5d9262486f5509f842db1
Instruction ID: c9ff52f0dff1af9a82b72581653eba5f78dc3205c1d4d8220c3d355c12f6ec95
Opcode Fuzzy Hash: 77b808d751fda1fd3ac2b49f40fafd2f477bee18f3b5d9262486f5509f842db1
Instruction Fuzzy Hash: 39D142716086019FC714DF28C880A2ABBE5FF89724F14885DF989DB3A1DB71ED45CB92

Function 0086175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00860FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00860FCA
Part of subcall function 00860FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00860FD6
Part of subcall function 00860FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00860FE5
Part of subcall function 00860FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00860FEC
Part of subcall function 00860FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00861002

GetLengthSid.ADVAPI32(?,00000000,00861335), ref: 008617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008617BA
HeapAlloc.KERNEL32(00000000), ref: 008617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008617DA
GetProcessHeap.KERNEL32(00000000,00000000,00861335), ref: 008617EE
HeapFree.KERNEL32(00000000), ref: 008617F5

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 55c2e0f477b47cf48367df6839f99b2765f2775c31fd4813d8e33bb72959dac3
Instruction ID: 46763219742df53c6c8a095246bdc68e714ded7e186e04ce11065841190cff9a
Opcode Fuzzy Hash: 55c2e0f477b47cf48367df6839f99b2765f2775c31fd4813d8e33bb72959dac3
Instruction Fuzzy Hash: 3B11BB32600205FFDF10AFA4DC49BAF7BA9FB42359F194019F481E7216D736AA40CB60

Function 008614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00861506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00861515
CloseHandle.KERNEL32(00000004), ref: 00861520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0086154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00861563

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0fb093d82ecc59c39e225fe19a9a53573fec90c0e7d99769be8a2e0acf2ed999
Instruction ID: 2b8d2bb617a0f12c0f590430dde622b85dc8bf64897051c0f06c4a48a7672565
Opcode Fuzzy Hash: 0fb093d82ecc59c39e225fe19a9a53573fec90c0e7d99769be8a2e0acf2ed999
Instruction Fuzzy Hash: 6511297250120DABDF119FA8EE49FDE7BA9FF48748F094015FA05A2161C3768E60EB61

Function 00823382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00823379,00822FE5), ref: 00823390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0082339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008233B7
SetLastError.KERNEL32(00000000,?,00823379,00822FE5), ref: 00823409

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7e808daa93e59b207c341979ede70c086fff40b4757d56df357ee953f0eb4c22
Instruction ID: 557000cc3aac745ef26544b64b00622b95b467f24e3abaabce06d7009284f42a
Opcode Fuzzy Hash: 7e808daa93e59b207c341979ede70c086fff40b4757d56df357ee953f0eb4c22
Instruction Fuzzy Hash: FE014C33208731BEA61437787CA99172AA8FB257797200229F410C03F0EF264E836154

Function 00832D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00835686,00843CD6,?,00000000,?,00835B6A,?,?,?,?,?,0082E6D1,?,008C8A48), ref: 00832D78
_free.LIBCMT ref: 00832DAB
_free.LIBCMT ref: 00832DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0082E6D1,?,008C8A48,00000010,00804F4A,?,?,00000000,00843CD6), ref: 00832DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0082E6D1,?,008C8A48,00000010,00804F4A,?,?,00000000,00843CD6), ref: 00832DEC
_abort.LIBCMT ref: 00832DF2

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: bb9beb2369e7251faff1af0041cec187a4522e3fe313516ebad6f24305e09e1d
Instruction ID: 355f7beaf1c36feb0b0caeeee28c22bec0272f6ab2d1c23599e172b45211b07d
Opcode Fuzzy Hash: bb9beb2369e7251faff1af0041cec187a4522e3fe313516ebad6f24305e09e1d
Instruction Fuzzy Hash: 07F0FC315056146FC612373DBC06F1F2A69FFC17B5F28051AF824D22D2EF75880251E2

Function 00898A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00819639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00819693
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196A2
Part of subcall function 00819639: BeginPath.GDI32(?), ref: 008196B9
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00898A4E
LineTo.GDI32(?,00000003,00000000), ref: 00898A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00898A70
LineTo.GDI32(?,00000000,00000003), ref: 00898A80
EndPath.GDI32(?), ref: 00898A90
StrokePath.GDI32(?), ref: 00898AA0

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6bc80bb2f3c491d21d05b48078dfe5db9ad3b60c9ce1187a35387a5ec71b4bf7
Instruction ID: a73fdf3c9901d4ca39625af7916b940022e3b3c258a0b49f1ab1924fc4a21bc6
Opcode Fuzzy Hash: 6bc80bb2f3c491d21d05b48078dfe5db9ad3b60c9ce1187a35387a5ec71b4bf7
Instruction Fuzzy Hash: C311C976040119FFDF12AF94DC88EAA7FADFF08354F048012FA199A1A1C7729D55DBA0

Function 008651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00865218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00865229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00865230
ReleaseDC.USER32(00000000,00000000), ref: 00865238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0086524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00865261

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a9f841e96d72ee7532204ef7abb85fa6183eb087664e3dfa06bdd092cb9da6f5
Instruction ID: 6fdb850d1eab026d11967d189bfc402b8780b8ffdda8c23ad088e833e095ad1f
Opcode Fuzzy Hash: a9f841e96d72ee7532204ef7abb85fa6183eb087664e3dfa06bdd092cb9da6f5
Instruction Fuzzy Hash: 81014475A00714BBEB106BA59C49E5EBF78FB44751F044066FA04E7381D6719800CF60

Function 00801BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00801BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00801BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00801C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00801C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00801C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00801C22

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8362c950de40bb06b6def8bad085b73c5bc3e546337088f4b9d79460d6cf91b8
Instruction ID: f29cd8a1fe5b34e6d7c621231edb51b5a2a802eecfa59f24641ad9d9ba68e9e4
Opcode Fuzzy Hash: 8362c950de40bb06b6def8bad085b73c5bc3e546337088f4b9d79460d6cf91b8
Instruction Fuzzy Hash: E10167B0902B5ABDE3009F6A8C85B52FFA8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0086EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0086EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0086EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0086EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0086EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0086EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0086EB75

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 419f5405ce3495e8ad6a8e2bf086110baf2dc2e678804333b1e6d10ac4e086a0
Instruction ID: 9201b57dd63945f8dafd864196d58a0877eb84102702076a3e4f1ad8427878c6
Opcode Fuzzy Hash: 419f5405ce3495e8ad6a8e2bf086110baf2dc2e678804333b1e6d10ac4e086a0
Instruction Fuzzy Hash: E5F05E72240158BFE7216B629C0EEEF7E7CFFCAB11F04015AF601E1191D7A25A01C6B9

Function 00857439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00857452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00857469
GetWindowDC.USER32(?), ref: 00857475
GetPixel.GDI32(00000000,?,?), ref: 00857484
ReleaseDC.USER32(?,00000000), ref: 00857496
GetSysColor.USER32(00000005), ref: 008574B0

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 53a945a2158d3a50679df2fd8889970afdb9c81cd6dc811fb988e38596c5a21a
Instruction ID: 116f7ac7e21a78615aba74cc108d7eae65a2c0d3d57f62eeb0ad55651a97c9a0
Opcode Fuzzy Hash: 53a945a2158d3a50679df2fd8889970afdb9c81cd6dc811fb988e38596c5a21a
Instruction Fuzzy Hash: 39014B31500219EFDB516FA4EC08BAA7BB5FF04312F594165FE16A21A1CB321E51AB50

Function 00861874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0086187F
UnloadUserProfile.USERENV(?,?), ref: 0086188B
CloseHandle.KERNEL32(?), ref: 00861894
CloseHandle.KERNEL32(?), ref: 0086189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008618A5
HeapFree.KERNEL32(00000000), ref: 008618AC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3e3a7af14e382f65948396c31884867fb76e6ae922a0a9b83c0579defbc10126
Instruction ID: 6f7e61bb20a9fc6a4fd75f4d82369a55bed0279b5bcc4f6b4fbfda23d8897ee0
Opcode Fuzzy Hash: 3e3a7af14e382f65948396c31884867fb76e6ae922a0a9b83c0579defbc10126
Instruction Fuzzy Hash: A9E0E536004101BFDB016FA5EE0C90AFF39FF49B22B148222F22581170CB339420EF64

Function 0086C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0086C6EE
_wcslen.LIBCMT ref: 0086C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0086C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0086C7CA

Strings

0, xrefs: 0086C6AF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: cfac94bb720dc7e6a7499be0c2f59f9997ceeb1399128f0f15c2ff1adeef7f67
Instruction ID: 24240059fe6164d37904df320a17c032e94fffea2e3227abb33cf9a2ddb671f6
Opcode Fuzzy Hash: cfac94bb720dc7e6a7499be0c2f59f9997ceeb1399128f0f15c2ff1adeef7f67
Instruction Fuzzy Hash: 1951DD71604301ABD7509F2CC889A7B77E8FF99314F050A2EF9E5D32A1DB60D8448B56

Function 0088AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0088AEA3

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

GetProcessId.KERNEL32(00000000), ref: 0088AF38
CloseHandle.KERNEL32(00000000), ref: 0088AF67

Strings

@, xrefs: 0088AE72
<, xrefs: 0088AE6B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 375280ee82a8a0ded7a32359d587212d7df089dbc9810fe94bd4987e9705863f
Instruction ID: 2e423b416732ca7486816c152046f857a7513dc3321dfe0498c4e166f7ec223a
Opcode Fuzzy Hash: 375280ee82a8a0ded7a32359d587212d7df089dbc9810fe94bd4987e9705863f
Instruction Fuzzy Hash: AA713A75A00615DFDB14EF58C884A9EBBB4FF08314F04849AE816AB392CB75ED41CB92

Function 0086719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00867206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0086723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0086724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008672CF

Strings

DllGetClassObject, xrefs: 00867242

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 65d7e17ebb9605f306b663c12399973888a10773e07404e3535529717b2965ed
Instruction ID: a6a851a23dcbd0b9e1618737b823f9893a17ae0e2dc7b34a4ba15fb2705c356d
Opcode Fuzzy Hash: 65d7e17ebb9605f306b663c12399973888a10773e07404e3535529717b2965ed
Instruction Fuzzy Hash: 4C416C71A04204AFDB15CF54C895B9ABBA9FF44318F1680A9BD06DF30AD7B1D944CBE0

Function 00893D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00893E35
IsMenu.USER32(?), ref: 00893E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00893E92
DrawMenuBar.USER32 ref: 00893EA5

Strings

0, xrefs: 00893D89

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 68a6945f1c71aff0bd37fdadc03058e1bbf7dba2a2549a0d41791ccf3317a58a
Instruction ID: 95674fe900a3bd49f41bd9878dbe9c0076a852033b9e0e1e7891e79e805b2c04
Opcode Fuzzy Hash: 68a6945f1c71aff0bd37fdadc03058e1bbf7dba2a2549a0d41791ccf3317a58a
Instruction Fuzzy Hash: D1413575A01209AFDF10EF64D884AAEBBB9FF49354F08412AF905EB650D730AE44CF60

Function 00861DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00861E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00861E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00861EA9

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Strings

ListBox, xrefs: 00861E25
ComboBox, xrefs: 00861DF0

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 982adf2b09962dcbcd22526247ac8ba233e49a3f5da30b1be7d36a9d74b757c3
Instruction ID: 33d74d91804353293a47e8b2d3d85663201c02a92c902c6c904b4289c13732d6
Opcode Fuzzy Hash: 982adf2b09962dcbcd22526247ac8ba233e49a3f5da30b1be7d36a9d74b757c3
Instruction Fuzzy Hash: AE213771A00104BADF54AB68DC49DFFB7B8FF41360B194119F821E72E2DB3A89059620

Function 0088C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0088C9F1
_wcslen.LIBCMT ref: 0088CA68
_wcslen.LIBCMT ref: 0088CA9E
_wcslen.LIBCMT ref: 0088CAF9
_wcslen.LIBCMT ref: 0088CB2F
_wcslen.LIBCMT ref: 0088CB7F

Strings

HKLM, xrefs: 0088CA98, 0088CA9D
HKEY_LOCAL_MACHINE, xrefs: 0088CA62, 0088CA67

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: cc4ba1ddb3c0f631d8325090bba1c0524564b8ef1a93a22721e832eb931a20d0
Instruction ID: 0adcb2e2cb0f6e8673dc48245741d1cdf26df423661554e0d4bf6ad981a956ec
Opcode Fuzzy Hash: cc4ba1ddb3c0f631d8325090bba1c0524564b8ef1a93a22721e832eb931a20d0
Instruction Fuzzy Hash: 7D31F5B2A001794BCB28FE6C98405BE37A2FFA1754B05402AE851EB34DE671CE8497B0

Function 00892F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00892F8D
LoadLibraryW.KERNEL32(?), ref: 00892F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00892FA9
DestroyWindow.USER32(?), ref: 00892FB1

Strings

SysAnimate32, xrefs: 00892F68

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f925a5c2077abc71fb2050d18d7189caa00e4f9c3c12ef4269cad51e995fafc8
Instruction ID: ff853beb9b91ac2d8fbc6ae837b28faca394c3a1dabe3abbf7404f4c03a08eb9
Opcode Fuzzy Hash: f925a5c2077abc71fb2050d18d7189caa00e4f9c3c12ef4269cad51e995fafc8
Instruction Fuzzy Hash: 9521AC72200209BBEF21AFA4DC84EBB37B9FB99364F180629F954D2190DB71DC519760

Function 00824D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00824D1E,008328E9,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002), ref: 00824D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00824DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00824D1E,008328E9,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002,00000000), ref: 00824DC3

Strings

CorExitProcess, xrefs: 00824D98
mscoree.dll, xrefs: 00824D86

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 727a88d657ea35547fc0a3a09bcfee1d86bd72247b9c8e5e1f53b5530a4ff2ad
Instruction ID: 461ae0eafe2bdd979f717f28e9951343a9524e2573f6e528fe069eff275f904a
Opcode Fuzzy Hash: 727a88d657ea35547fc0a3a09bcfee1d86bd72247b9c8e5e1f53b5530a4ff2ad
Instruction Fuzzy Hash: 2DF0AF30A00218BBDB10AF90EC09BADBBB4FF04751F0400A5F80AE2260CB325D80DEA0

Function 0085D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0085D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0085D3BF
FreeLibrary.KERNEL32(00000000), ref: 0085D3E5

Strings

X64, xrefs: 0085D2A8
GetSystemWow64DirectoryW, xrefs: 0085D3B9

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: ed6542053c9b44bce24591e9f1da03c9689c16c814789b17929c8ae8e4aa4567
Instruction ID: f7a1c17cfa7d8db1cb3743e17b00dd30a0d254dddde6de7037a478d41e329e6c
Opcode Fuzzy Hash: ed6542053c9b44bce24591e9f1da03c9689c16c814789b17929c8ae8e4aa4567
Instruction Fuzzy Hash: EEF05531806B209BCB7167208C08AAE3724FF10707F58815AFD02E6320EB30CDCCCA82

Function 00804E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00804EDD,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00804EAE
FreeLibrary.KERNEL32(00000000,?,?,00804EDD,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00804EA8
kernel32.dll, xrefs: 00804E94

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e1f01729ccd98db97a67ef13d31e34634b9038b132e2d475a5b2c2abf391efc2
Instruction ID: 01221a274247b181547ea591cbcf6705ee0d52d58622eeb5ed5db85c0302abb2
Opcode Fuzzy Hash: e1f01729ccd98db97a67ef13d31e34634b9038b132e2d475a5b2c2abf391efc2
Instruction Fuzzy Hash: F0E0CD35A415225BD3712B25FC18B5F7554FF81F7270D0116FD04D3250DB65CD0240E4

Function 00804E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00843CDE,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00804E74
FreeLibrary.KERNEL32(00000000,?,?,00843CDE,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00804E6E
kernel32.dll, xrefs: 00804E5B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c365bcc4cb5cb29de2daeb80206b08473670241b726c1055adffa40283886ef7
Instruction ID: 65923e7b17dd0d19bf4897f37aa04e4007e9ae8b4961dd3b8cf4c92fd310d03b
Opcode Fuzzy Hash: c365bcc4cb5cb29de2daeb80206b08473670241b726c1055adffa40283886ef7
Instruction Fuzzy Hash: 40D01235542621579A622B25BC18E8B7A18FF85B71389451ABA09E2294CF66CD0285D4

Function 00872947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00872C05
DeleteFileW.KERNEL32(?), ref: 00872C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00872C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00872CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00872CC0

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: cc9c8eaba9b4680e5aab3511b05d0ffc30d6cc80117adb967f334e88fe9d3bc4
Instruction ID: f8a1df50b87063e44b4819d92eec0253b08b6b26a489055cf15f4e9cac941aa4
Opcode Fuzzy Hash: cc9c8eaba9b4680e5aab3511b05d0ffc30d6cc80117adb967f334e88fe9d3bc4
Instruction Fuzzy Hash: 83B1407190012DABDF21DBA8CC85EDEB77DFF49354F1080A6F509E6145EA31DA448F61

Function 0088A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0088A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0088A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0088A468
CloseHandle.KERNEL32(?), ref: 0088A63D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 0b32f05f7a8917aabf7d28abb3097061d7e4f4a3cb24841c2e8e468ee1ceb115
Instruction ID: e6426ef3b45441a9d948a89924b760b2941f9713f375b989ef7951768805a96e
Opcode Fuzzy Hash: 0b32f05f7a8917aabf7d28abb3097061d7e4f4a3cb24841c2e8e468ee1ceb115
Instruction Fuzzy Hash: 66A15A716043019FE724EF28C886B2AB7E5FB84714F14885DF55ADB2D2DAB1EC418B92

Function 0086E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0086CF22,?), ref: 0086DDFD

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0086CF22,?), ref: 0086DE16

Part of subcall function 0086E199: GetFileAttributesW.KERNEL32(?,0086CF95), ref: 0086E19A

lstrcmpiW.KERNEL32(?,?), ref: 0086E473
MoveFileW.KERNEL32(?,?), ref: 0086E4AC
_wcslen.LIBCMT ref: 0086E5EB
_wcslen.LIBCMT ref: 0086E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0086E650

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 42f61afeae96896256ce6ba29390c28513b8939052b87735f67a6e38a3af6ded
Instruction ID: 58871bad515740df972c61a7f8086c70c9e809807bb5c839a6d237a3df2cf0d3
Opcode Fuzzy Hash: 42f61afeae96896256ce6ba29390c28513b8939052b87735f67a6e38a3af6ded
Instruction Fuzzy Hash: BE5150B25087859BC724EBA4DC819DB73DCFF85340F00492EF689D3191EE75A688876B

Function 0088B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0088BB63
RegCloseKey.ADVAPI32(?,?), ref: 0088BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0088BBB3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ee9f5934662237e02ae5e2825f7b038ee0251d4caf4bbdb1e94fc011e10a70c8
Instruction ID: 55bafe089434c3ad37a9c70063dc0541fa1f0253e075bc6902b866a172af52b6
Opcode Fuzzy Hash: ee9f5934662237e02ae5e2825f7b038ee0251d4caf4bbdb1e94fc011e10a70c8
Instruction Fuzzy Hash: E1619031209241EFD714EF14C891E2ABBE5FF84318F5485ADF4998B2A2DB31ED45CB92

Function 00868BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00868BCD
VariantClear.OLEAUT32 ref: 00868C3E
VariantClear.OLEAUT32 ref: 00868C9D
VariantClear.OLEAUT32(?), ref: 00868D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00868D3B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 0e82caa166a9418763fb27ca62cfbc61fdf54e04be46aa8c958bf96f057371eb
Instruction ID: 4414d903a798ce14a19b256a75aabcd5e85196441f52a1d44742fe02f1913272
Opcode Fuzzy Hash: 0e82caa166a9418763fb27ca62cfbc61fdf54e04be46aa8c958bf96f057371eb
Instruction Fuzzy Hash: E6515BB5A00219EFCB14CF58C894AAAB7F4FF89314F168559E909DB350E730E911CFA0

Function 00878AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00878BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00878BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00878C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00878C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00878C5F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 2fc746c2c0a6f56e075c2ddd26b1a9cde741a37c1cd5d254f21506155efcea0b
Instruction ID: 2eaa87a1eb8fb937a621017f37f4e7732c8e99d909afc66a8b9175c34e0af4c7
Opcode Fuzzy Hash: 2fc746c2c0a6f56e075c2ddd26b1a9cde741a37c1cd5d254f21506155efcea0b
Instruction Fuzzy Hash: 83515A35A00215DFDB41DF68C885AAABBF5FF48314F08C459E849AB3A2CB35ED41CB91

Function 00888EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00888F40
GetProcAddress.KERNEL32(00000000,?), ref: 00888FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00888FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00889032
FreeLibrary.KERNEL32(00000000), ref: 00889052

Part of subcall function 0081F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00871043,?,753CE610), ref: 0081F6E6
Part of subcall function 0081F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0085FA64,00000000,00000000,?,?,00871043,?,753CE610,?,0085FA64), ref: 0081F70D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f0d31f32bdb6c4c506e836e8c829aab460c5dcec4544a5c9f9097d19a470eac9
Instruction ID: c8d404985ca29488b8b8b32ff5ee970090325990aefe3218bb5fb704d95faeb5
Opcode Fuzzy Hash: f0d31f32bdb6c4c506e836e8c829aab460c5dcec4544a5c9f9097d19a470eac9
Instruction Fuzzy Hash: 1F513C35604605DFC711EF58C8848ADBBF1FF49314B4980A9E94AEB3A2DB31ED85CB91

Function 00896B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00896C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00896C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00896C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0087AB79,00000000,00000000), ref: 00896C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00896CC7

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 5fab29c8255615ffc1047340a4400bccbe542efaf59258c8f308890ec4b18ca7
Instruction ID: f64fdf5c8b87a1efe97299ae484e73a649302b46fdf341aa39d750db6501f8e3
Opcode Fuzzy Hash: 5fab29c8255615ffc1047340a4400bccbe542efaf59258c8f308890ec4b18ca7
Instruction Fuzzy Hash: E041B535604104AFDF25EF28CC58FA57BA5FB09368F190229F899E72E0E371ED61C650

Function 00832051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008320C3
_free.LIBCMT ref: 008320E3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: eb936c7e6dafc3ed120b73e32cbfd5f7e9ce05b2486ffef4630d7e5c9653b1fa
Instruction ID: 3ea980d6b5ff3d143a62876f68a99fd49434f822493b9b0b4a7fb7eeafec4b51
Opcode Fuzzy Hash: eb936c7e6dafc3ed120b73e32cbfd5f7e9ce05b2486ffef4630d7e5c9653b1fa
Instruction Fuzzy Hash: 6341D132A00614AFCB24DF78C981A5EB7B5FF89714F1545A8E616EB392DA31AD01CB81

Function 0081912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00819141
ScreenToClient.USER32(00000000,?), ref: 0081915E
GetAsyncKeyState.USER32(00000001), ref: 00819183
GetAsyncKeyState.USER32(00000002), ref: 0081919D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f8a18a3d40b03246d86934e4fe3fd325a9f7a2eb0b61eb34dae4c99f70cc102c
Instruction ID: c630ae41da15ca54f485b7f5e2858092a3a653db0de50ee80987203566d710f9
Opcode Fuzzy Hash: f8a18a3d40b03246d86934e4fe3fd325a9f7a2eb0b61eb34dae4c99f70cc102c
Instruction Fuzzy Hash: F841707190850AFBDF059F68D858BEEB778FF05324F248216E865E32D0C7346994CB51

Function 00873874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00873922
TranslateMessage.USER32(?), ref: 0087394B
DispatchMessageW.USER32(?), ref: 00873955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00873966

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 20b21a6f2f9c879028465b93ea6004df24ae5aa2185b5e136e9e7ccda79861d2
Instruction ID: 69f2d80b8e6ac1e507cecfb38ef12baaf52b8697ee356a17728bb7d9002615d7
Opcode Fuzzy Hash: 20b21a6f2f9c879028465b93ea6004df24ae5aa2185b5e136e9e7ccda79861d2
Instruction Fuzzy Hash: EA31E870505345BEEF25CB749848BB67FA8FF06304F04866AD56AC21A4D3B5D684EB13

Function 0087CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0087C21E,00000000), ref: 0087CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0087CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0087C21E,00000000), ref: 0087CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0087C21E,00000000), ref: 0087CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0087C21E,00000000), ref: 0087CFF2

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 13b525e451161a0f106e20db209eae17cc7e6a837dd856e981085031e1f54e9b
Instruction ID: 42595f9276e8d708cbbbd49a02f5775c0f02fb58b1a444be73a917afea7db949
Opcode Fuzzy Hash: 13b525e451161a0f106e20db209eae17cc7e6a837dd856e981085031e1f54e9b
Instruction Fuzzy Hash: 26317A71600209AFDB20DFA9D884AABBBF9FF14354B14842EF50AE3105DB70EE409B60

Function 00861901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00861915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008619E2

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: cdb6dc1f1e13fae8113765bd7620a542ea46213ad999791632f2713c13cb9b87
Instruction ID: 07000b490224a0339e17b7e32b6727f487284fbb0dbb0eacbbd2a4622bb942b6
Opcode Fuzzy Hash: cdb6dc1f1e13fae8113765bd7620a542ea46213ad999791632f2713c13cb9b87
Instruction Fuzzy Hash: 0C319C71A00219EFCB00CFA8C99DA9E3BB5FB04315F594229F921EB2D2C7709944CB90

Function 00895706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00895745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0089579D
_wcslen.LIBCMT ref: 008957AF
_wcslen.LIBCMT ref: 008957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00895816

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 51d42353044fe66e7f1f9169eb7da02fcd0c0dfcd9542f5f725ab55c42e381fb
Instruction ID: f5b9c938ace578cd5b9f35c239536be8e701a2367a4cce2dd483cd20020cd90c
Opcode Fuzzy Hash: 51d42353044fe66e7f1f9169eb7da02fcd0c0dfcd9542f5f725ab55c42e381fb
Instruction Fuzzy Hash: 4F218771904618AADF61AFA4DC45AED7B78FF14724F144216E929EA180D7708A85CF50

Function 0081990C Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008198CC
SetTextColor.GDI32(?,?), ref: 008198D6
SetBkMode.GDI32(?,00000001), ref: 008198E9
GetStockObject.GDI32(00000005), ref: 008198F1
GetWindowLongW.USER32(?,000000EB), ref: 00819952

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 4df2b26f64a0b2bcd44fe94779e7d54d6c22144aab42827357132b241ff23fb8
Instruction ID: edd08cf04259e11fd085113cda23531ee2179fd52488cf51ed3eeee9bc65e95b
Opcode Fuzzy Hash: 4df2b26f64a0b2bcd44fe94779e7d54d6c22144aab42827357132b241ff23fb8
Instruction Fuzzy Hash: D821E9715493909FCB224F34EC68AE53F64FF53331B18429EE9D1CA1A2D7324992CB11

Function 00880930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00880951
GetForegroundWindow.USER32 ref: 00880968
GetDC.USER32(00000000), ref: 008809A4
GetPixel.GDI32(00000000,?,00000003), ref: 008809B0
ReleaseDC.USER32(00000000,00000003), ref: 008809E8

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 666ddaab4187cd42a91d193db189dec905bd62d5cc5abb8224fe2e8e7c6c2213
Instruction ID: 24ddc06b3ed427fce788279324f2f0ccdc998c0bb8acb0eae7980a06f48d4473
Opcode Fuzzy Hash: 666ddaab4187cd42a91d193db189dec905bd62d5cc5abb8224fe2e8e7c6c2213
Instruction Fuzzy Hash: E6216236A00204AFD754EF69CC44A6EBBE5FF48704F04806DE85AD7761DB70AC44CB51

Function 0083CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0083CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0083CDE9

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0083CE0F
_free.LIBCMT ref: 0083CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0083CE31

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1ecf83134e267be958a1ab8ec3d0659f195fbe9127f1dc563e0a2f635b230173
Instruction ID: 47906e8e9fb6448645fc078262f0432a171affc6f4266a921b7fabd8a2b99c87
Opcode Fuzzy Hash: 1ecf83134e267be958a1ab8ec3d0659f195fbe9127f1dc563e0a2f635b230173
Instruction Fuzzy Hash: 9A01AC726012157F2721267AEC4CD7B7D6DFEC6BA1715012AFD05E7201DB628D0193F1

Function 00819639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00819693
SelectObject.GDI32(?,00000000), ref: 008196A2
BeginPath.GDI32(?), ref: 008196B9
SelectObject.GDI32(?,00000000), ref: 008196E2

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: fc50e24c0a6e4f6bda6225c963a709b16618b019512dc6ba53305e60c58f6d39
Instruction ID: f8acbbf54e90ce3d6e784d1905c693201d4b1afe1182f6ba24f79ea3524c2847
Opcode Fuzzy Hash: fc50e24c0a6e4f6bda6225c963a709b16618b019512dc6ba53305e60c58f6d39
Instruction Fuzzy Hash: 2A214A70802205FBDF119F68EC28BE93BA8FF20365F944317F851A61A1D3715896CBA5

Function 00865711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00865726
_memcmp.LIBVCRUNTIME ref: 00865744
_memcmp.LIBVCRUNTIME ref: 00865757
_memcmp.LIBVCRUNTIME ref: 0086576F
_memcmp.LIBVCRUNTIME ref: 00865787

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8dd3ce20c8305a485b72fc2e70ac5c694356c94a8de2b149dc9384694a3366e2
Instruction ID: 4f2fdd5d4f6534f0b8bf134b8c44b384dc103719c325c9b452861f0fcabd284b
Opcode Fuzzy Hash: 8dd3ce20c8305a485b72fc2e70ac5c694356c94a8de2b149dc9384694a3366e2
Instruction Fuzzy Hash: B101F561241619BBDA0CA514AD86FBB734DFB313A8F158020FE04EE342F725ED6082E1

Function 0086000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?,?,0086035E), ref: 0086002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?), ref: 00860064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860070

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 41ddf933db7e62f770452ed5bb3ac9770780cc649dd36b5314ac01f9a4413142
Instruction ID: 57628a0b78ac3ceb904fecdba584dbcd4eadc754075fb3e791165db0d008e2c6
Opcode Fuzzy Hash: 41ddf933db7e62f770452ed5bb3ac9770780cc649dd36b5314ac01f9a4413142
Instruction Fuzzy Hash: DD01AD72600604BFDB109F68DC08FAB7AEDFF48792F194125F905E2210E7B2DD409BA0

Function 0086E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0086E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0086E9A5
Sleep.KERNEL32(00000000), ref: 0086E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0086E9B7
Sleep.KERNEL32 ref: 0086E9F3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e087b22774ee246d068d31b237a98b6635b9969f0b03ae1c2f31f37d8bb76bde
Instruction ID: c070cbc8cae8f794cdd4a4262032e3d480a32e9efff0b0596ddd70752856c383
Opcode Fuzzy Hash: e087b22774ee246d068d31b237a98b6635b9969f0b03ae1c2f31f37d8bb76bde
Instruction Fuzzy Hash: D1011335C0162DDBCF00AFE5D859AEEBF78FF09701F460556E902F2241CB3196558BA6

Function 008610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00861114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 0086112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086114D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b44aebc25815ecd04ff4fba75697943c0fe7d1d75a5611c8b4aabe347a739b86
Instruction ID: 5589c469df15ae8b28fc05ccd579aabf5148f410a02e5a511c068a8c54e323e7
Opcode Fuzzy Hash: b44aebc25815ecd04ff4fba75697943c0fe7d1d75a5611c8b4aabe347a739b86
Instruction Fuzzy Hash: CD011D75100205BFDF125FA5DC4DA6A3B6EFF86360B59441AFA45D7360DA32DC009A60

Function 00860FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00860FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00860FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00860FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00860FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00861002

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 52e828d61acd701bbf27200e0e38060b95309b9563628da18845be03316c682a
Instruction ID: 9377d3d8f968aef56d2172e3f51397de7690730d94b5e68b0238ba165db78f03
Opcode Fuzzy Hash: 52e828d61acd701bbf27200e0e38060b95309b9563628da18845be03316c682a
Instruction Fuzzy Hash: 8AF04935200701ABDF216FA49C4DF5A3BADFF89B62F694416FA45C6261CA72DC408A70

Function 00861014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0086102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00861036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0086104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861062

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 219ea3237ad43fbcd4fd3889ef1c94ac60b3748380c60fddecf8f1605dfe07e4
Instruction ID: 34c9516ae694fc55101a9a8186fe12d0c27b26a3605fbf5a1042135130a83153
Opcode Fuzzy Hash: 219ea3237ad43fbcd4fd3889ef1c94ac60b3748380c60fddecf8f1605dfe07e4
Instruction Fuzzy Hash: 17F04935200711ABDF21AFA4EC4DF5A3BADFF89761F290416FA45C6261CA72D8408AB0

Function 0087030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870324
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870331
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 0087033E
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 0087034B
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870358
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870365

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9bc6a25ead70fe620dc7d9b91a473990967127ff02133b1841271fcc8da85485
Instruction ID: 073507c74a1badd152e21627b5e07a26aff391c3e20e25381eace0338b982eb3
Opcode Fuzzy Hash: 9bc6a25ead70fe620dc7d9b91a473990967127ff02133b1841271fcc8da85485
Instruction Fuzzy Hash: 0B019072800B15DFC730AF66D880412F7F5FE502153158A3FD19A92A31C371A954DE80

Function 0083D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0083D752

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 0083D764
_free.LIBCMT ref: 0083D776
_free.LIBCMT ref: 0083D788
_free.LIBCMT ref: 0083D79A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5152aa6d084eb12419cb5d78579411a5367cdccfaae5e12817497019526a7d6a
Instruction ID: 28d4117e09feea9c10ae3f1a649de5ac06ab77fea863720e22e24c7b144fdee0
Opcode Fuzzy Hash: 5152aa6d084eb12419cb5d78579411a5367cdccfaae5e12817497019526a7d6a
Instruction Fuzzy Hash: ECF01D72545318AB8621EB68F9C6E2A7FEDFB84710FA40845F448E7502CB30FC808AE5

Function 00865C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00865C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00865C6F
MessageBeep.USER32(00000000), ref: 00865C87
KillTimer.USER32(?,0000040A), ref: 00865CA3
EndDialog.USER32(?,00000001), ref: 00865CBD

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c7f9ccfa66466798887f8ffe1caac1e49a8e0109c0f55b243faf326aa9f0db39
Instruction ID: 9246395327ac5690131b2c0af9010f1d7c23cc92d7b6def722d239c514cc3d15
Opcode Fuzzy Hash: c7f9ccfa66466798887f8ffe1caac1e49a8e0109c0f55b243faf326aa9f0db39
Instruction Fuzzy Hash: 07018170600B04AFEB216B50DD5EFA67BB8FB10B05F05055EA583E10E1DBF5A9948B90

Function 008322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008322BE

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 008322D0
_free.LIBCMT ref: 008322E3
_free.LIBCMT ref: 008322F4
_free.LIBCMT ref: 00832305

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d8444ba6ea7ee32c99e6be4744d8a267286f69d5785130056f581f82a78b9eab
Instruction ID: 637c81de3f7f40a188f64b7e7b09fbbf5aed84f43f65f3139067e602fb8ae1c7
Opcode Fuzzy Hash: d8444ba6ea7ee32c99e6be4744d8a267286f69d5785130056f581f82a78b9eab
Instruction Fuzzy Hash: 1DF05E748021309B8A12EF98BC01F0D3F64FB58760F11075BF818D22B5CB310812AFE5

Function 008195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008195D4
StrokeAndFillPath.GDI32(?,?,008571F7,00000000,?,?,?), ref: 008195F0
SelectObject.GDI32(?,00000000), ref: 00819603
DeleteObject.GDI32 ref: 00819616
StrokePath.GDI32(?), ref: 00819631

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 49e85247755d56e7d28a2becea84479cb15021a38980a3442c47ec8fdd413447
Instruction ID: 1b1d2465db9bfa641670957ebee65d88c963fd0f6e230c1cd0e34f773d115c8f
Opcode Fuzzy Hash: 49e85247755d56e7d28a2becea84479cb15021a38980a3442c47ec8fdd413447
Instruction Fuzzy Hash: 29F0B631006608FBDB166F65ED2C7A43F65FF11322F488316E469950F1C7318995DF24

Function 00830F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008310F9
__freea.LIBCMT ref: 00831117

Part of subcall function 00831537: _free.LIBCMT ref: 0083154F

Strings

a/p, xrefs: 008311DE
am/pm, xrefs: 0083117A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 2b91ecf61b5decdc732d8f1057e37ecb91fbd3736417583ba28fae565b122cb4
Instruction ID: cc2f8f2664e90bd34bc34d67e9972c51c9b2775c2b7790991a870825ad30654a
Opcode Fuzzy Hash: 2b91ecf61b5decdc732d8f1057e37ecb91fbd3736417583ba28fae565b122cb4
Instruction Fuzzy Hash: 37D1CE3190020A9ADF289F68C85DBFEB7B1FF85B04F284159E901EBA51D7799D80CBD1

Function 00887B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00820242: EnterCriticalSection.KERNEL32(008D070C,008D1884,?,?,0081198B,008D2518,?,?,?,008012F9,00000000), ref: 0082024D
Part of subcall function 00820242: LeaveCriticalSection.KERNEL32(008D070C,?,0081198B,008D2518,?,?,?,008012F9,00000000), ref: 0082028A

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 008200A3: __onexit.LIBCMT ref: 008200A9

__Init_thread_footer.LIBCMT ref: 00887BFB

Part of subcall function 008201F8: EnterCriticalSection.KERNEL32(008D070C,?,?,00818747,008D2514), ref: 00820202
Part of subcall function 008201F8: LeaveCriticalSection.KERNEL32(008D070C,?,00818747,008D2514), ref: 00820235

Strings

Variable must be of type 'Object'., xrefs: 00887C3A
5, xrefs: 00887C78
G, xrefs: 00887C7F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 3616245a2223f590ca3f84d82c9c157067c76b5ec373e13f802fdf30c1276d57
Instruction ID: 8b3ab3c51d0ad932cd84e7348ccf2b68282fe80d4f16cbc1570dad887162c7b4
Opcode Fuzzy Hash: 3616245a2223f590ca3f84d82c9c157067c76b5ec373e13f802fdf30c1276d57
Instruction Fuzzy Hash: 2E915970A04209EFCB14EF98D8919ADB7B2FF44304F248159F816EB292DB71EE45CB52

Function 00862716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0086B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008621D0,?,?,00000034,00000800,?,00000034), ref: 0086B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00862760

Part of subcall function 0086B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0086B3F8

Part of subcall function 0086B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0086B355
Part of subcall function 0086B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00862194,00000034,?,?,00001004,00000000,00000000), ref: 0086B365
Part of subcall function 0086B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00862194,00000034,?,?,00001004,00000000,00000000), ref: 0086B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0086281A

Strings

@, xrefs: 00862832

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 92148420507071a821d9dcd18083f241a683dfba3e443c209768d7ccdef4fa2e
Instruction ID: cde62b00fd52a8401e15d16b39ae2eaad396eebb045a7397fbab01d33c5d7e78
Opcode Fuzzy Hash: 92148420507071a821d9dcd18083f241a683dfba3e443c209768d7ccdef4fa2e
Instruction Fuzzy Hash: 4F412C72900218AEDB11DBA8CD46FEEBBB8FB09304F014099EA55B7181DB716E85CB61

Function 0083172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00831769
_free.LIBCMT ref: 00831834
_free.LIBCMT ref: 0083183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00831760, 00831767, 00831796, 008317CE

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 7f1e3f207c2d7266842f82c11cc832f7fe2851064a8150a8a901b4d924e1f261
Instruction ID: b89e4afeb9279c86abafb9c0a1a6fa091c62080ec1ee837022e7d0feea444793
Opcode Fuzzy Hash: 7f1e3f207c2d7266842f82c11cc832f7fe2851064a8150a8a901b4d924e1f261
Instruction Fuzzy Hash: AF316A75A00218BBDF21DB99DC89D9EBBBCFFC5B10F1441A6E804D7215DAB08A40CBE5

Function 0086C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0086C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0086C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008D1990,0163DEC8), ref: 0086C395

Strings

0, xrefs: 0086C2DF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 674a27a647fd9f94a5156ce0bfe94f18a9446d671e38249d20695e41cda7f3f3
Instruction ID: bb3d030d398ab7420b28eb2f7b797afc26f7af3cca91a8d3ec5738b6a76612e3
Opcode Fuzzy Hash: 674a27a647fd9f94a5156ce0bfe94f18a9446d671e38249d20695e41cda7f3f3
Instruction Fuzzy Hash: 5A417E312043019FD720DF29D945B6ABBA8FB85314F16861EF9A5D73D1D730E904CB62

Function 00894416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0089CC08,00000000,?,?,?,?), ref: 008944AA
GetWindowLongW.USER32 ref: 008944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008944D7

Strings

SysTreeView32, xrefs: 0089447C

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8f5c8eff0462b239375f67c1fdd211612b4b332899978896b473da3758fca003
Instruction ID: 322b0315fec66548a4903a875d687ec8a142f340534ff9a48438d0e473539c61
Opcode Fuzzy Hash: 8f5c8eff0462b239375f67c1fdd211612b4b332899978896b473da3758fca003
Instruction Fuzzy Hash: 8331AB31210605ABDF20AE78DC45FEA7BA9FB08324F285319F979E21D0D770AC519B50

Function 0088304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0088335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00883077,?,?), ref: 00883378

inet_addr.WSOCK32(?), ref: 0088307A
_wcslen.LIBCMT ref: 0088309B
htons.WSOCK32(00000000), ref: 00883106

Strings

255.255.255.255, xrefs: 00883095, 0088309A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 5b6b268b28f5b7ad5080102290fa8cef9159166f740b3e79e46a910935d95595
Instruction ID: 5804f7b4e5ccbea3d5ff833cbf54b99cfca343596016f8cafa95be09f013717c
Opcode Fuzzy Hash: 5b6b268b28f5b7ad5080102290fa8cef9159166f740b3e79e46a910935d95595
Instruction Fuzzy Hash: 0131D339604205DFCB10EF68C885EAA77E0FF14B18F248069E916DB392DB72EE45C761

Function 00893EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00893F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00893F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00893F78

Strings

SysMonthCal32, xrefs: 00893F0B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 074c145135646f8afd3cbfccbb34b3b275dad682fb3fbd0f0755de9bf58b7017
Instruction ID: f86130a67b65bfb9f68d2c18656c47d71e88a87420c80d90d97786b605187b8f
Opcode Fuzzy Hash: 074c145135646f8afd3cbfccbb34b3b275dad682fb3fbd0f0755de9bf58b7017
Instruction Fuzzy Hash: A2219C32600219BBDF22AF54DC46FEA3B79FF48714F150219FA15AB1D0DAB5A9508BA0

Function 00894653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00894705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00894713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0089471A

Strings

msctls_updown32, xrefs: 00894684

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: a3fad8a60a1459e869541132c1f2f1101c2874defc3a64f118dbaca3f9b491ed
Instruction ID: af5b505238f3e69d9ae8c41939227caa1fdbbc4737d916fc808705e6aea64f5c
Opcode Fuzzy Hash: a3fad8a60a1459e869541132c1f2f1101c2874defc3a64f118dbaca3f9b491ed
Instruction Fuzzy Hash: 3C216DB5600208BFEB11EF68DC91DB637ADFB5A394B440049F601D7251DB31EC12CA60

Function 008695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0086961D

Strings

#requireadmin, xrefs: 008695D9
#OnAutoItStartRegister, xrefs: 008695F3
#notrayicon, xrefs: 008695B7

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: c717db38c6eb9182de9f1880c83f98a7ea7df642bc5dcfaf2f6123fb84eb5a76
Instruction ID: 819f17a46fe8db817cc95932a4b4dcf3eef0458285b9f5a4cced353202b0d4a8
Opcode Fuzzy Hash: c717db38c6eb9182de9f1880c83f98a7ea7df642bc5dcfaf2f6123fb84eb5a76
Instruction Fuzzy Hash: CF213B72104620A6C731AA28DC06FB773DCFF61314F154025F99AD71C1EB75AD85C296

Function 008937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00893840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00893850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00893876

Strings

Listbox, xrefs: 0089380F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 12284f3358f866d370ad6361480259105c5d5c2c2bea841cc2938ca647682f5b
Instruction ID: 48b7194614a551e1c7cec0ee902601ff8d207171da5579b6b3a25bbd47290a5f
Opcode Fuzzy Hash: 12284f3358f866d370ad6361480259105c5d5c2c2bea841cc2938ca647682f5b
Instruction Fuzzy Hash: E7218E72610218BBEF21AF94CC85FBB376AFF89754F148125F915AB190C672DC528BA0

Function 008749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00874A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00874A5C
SetErrorMode.KERNEL32(00000000,?,?,0089CC08), ref: 00874AD0

Strings

%lu, xrefs: 00874A6F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 91388d2b9fd8315be06e0fc18cb26849b8362366ec3d868272e50fdf72557157
Instruction ID: 73d21f10f7c4857ccb9c8d0e8b1b3abc94ff479dcbde327d6d4149fa69d8983b
Opcode Fuzzy Hash: 91388d2b9fd8315be06e0fc18cb26849b8362366ec3d868272e50fdf72557157
Instruction Fuzzy Hash: CB311075A00119AFDB10DF58C985EAABBF8FF04308F1480A5E909DB252D775ED45CB61

Function 008941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0089424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00894264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00894271

Strings

msctls_trackbar32, xrefs: 00894226

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c782b7e664a2dfd208785bb5f43ff40a7a62464e06d9f991381c87f5b6955323
Instruction ID: c6a293f48a03ca2efdb70d77918c59460eaff007c727ffebaf92cb1361e34f61
Opcode Fuzzy Hash: c782b7e664a2dfd208785bb5f43ff40a7a62464e06d9f991381c87f5b6955323
Instruction Fuzzy Hash: 90110632240208BEEF206F69CC06FAB3BACFF95B54F110524FA55E2190D271DC629B20

Function 00862F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Part of subcall function 00862DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00862DC5
Part of subcall function 00862DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00862DD6
Part of subcall function 00862DA7: GetCurrentThreadId.KERNEL32 ref: 00862DDD
Part of subcall function 00862DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00862DE4

GetFocus.USER32 ref: 00862F78

Part of subcall function 00862DEE: GetParent.USER32(00000000), ref: 00862DF9

GetClassNameW.USER32(?,?,00000100), ref: 00862FC3
EnumChildWindows.USER32(?,0086303B), ref: 00862FEB

Strings

%s%d, xrefs: 00862FFF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a64d52044c51b9c185e8bd47dbb2fca7eea8fcb34b8a411e2e22c7188d945cc9
Instruction ID: 6a0ee3667d2606ae025ace1824ceb2e6bf7cc18ea7484d81232bdf5291376b9a
Opcode Fuzzy Hash: a64d52044c51b9c185e8bd47dbb2fca7eea8fcb34b8a411e2e22c7188d945cc9
Instruction Fuzzy Hash: 6711D5B12002096BCF417F64CC95FED376AFF94314F0440B9B909DB292DE3199498B61

Function 00895882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008958EE
DrawMenuBar.USER32(?), ref: 008958FD

Strings

0, xrefs: 0089588F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 8a37ea392a1c57f627ff7722c9b16c44c24de8da9c8ebe68d80ef1aa23fadaa3
Instruction ID: 662c36e1d7709ad8a816172cae2388d9feb4db9f40fe62ed0e8c05936bd76764
Opcode Fuzzy Hash: 8a37ea392a1c57f627ff7722c9b16c44c24de8da9c8ebe68d80ef1aa23fadaa3
Instruction Fuzzy Hash: 46016131500218EFDF51AF15EC44BAEBBB8FF45760F188099F949DA151DB308A84DF21

Function 0086007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a124d5e145415c16dd382b455f940d042e7b7a48687c5e48283dd983e40cb487
Instruction ID: 37902387b3fc9c1409a3920dea4062983d8ca2f06a29522b04aa0859364cb88a
Opcode Fuzzy Hash: a124d5e145415c16dd382b455f940d042e7b7a48687c5e48283dd983e40cb487
Instruction Fuzzy Hash: DFC14875A0020AAFDB15CFA8C894BAEB7B5FF48305F218598E505EB351D731EE41CB94

Function 00833E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00833F0B
__alldvrm.LIBCMT ref: 0083410C
__alldvrm.LIBCMT ref: 0083412E

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 2f515113cf7101786f8cc26bf7ad934458c31174d38ea7ac0c63882aa456002e
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: AAA14872E00B869FDB25CF28C8917AEBBE4FFA1354F14416DE585DB281C638A981C7D1

Function 0088342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00883459
CoUninitialize.OLE32 ref: 00883463
VariantInit.OLEAUT32(?), ref: 0088346E
VariantClear.OLEAUT32(?), ref: 0088371B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 82b195f76f5eb76dd22457257e596cf3f174a769ed09783fd7e3ef1a84267bac
Instruction ID: 2030df8845041f95da0d96ce43007a58071cd48aec405e3aa7c274656357db55
Opcode Fuzzy Hash: 82b195f76f5eb76dd22457257e596cf3f174a769ed09783fd7e3ef1a84267bac
Instruction Fuzzy Hash: F0A12C756043019FC710EF28C985A6AB7E5FF88714F048859F98ADB3A2DB71EE41CB52

Function 00860436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0089FC08,?), ref: 008605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0089FC08,?), ref: 00860608
CLSIDFromProgID.OLE32(?,?,00000000,0089CC40,000000FF,?,00000000,00000800,00000000,?,0089FC08,?), ref: 0086062D
_memcmp.LIBVCRUNTIME ref: 0086064E

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: b5d58d11281a23afeb74fe69b4946732167255e7fcde13568227abe8a6bbb9b1
Instruction ID: fae24145e5c16cd9f24c6c5e85053d6982a3af8d9e668c3984d2673229fccce4
Opcode Fuzzy Hash: b5d58d11281a23afeb74fe69b4946732167255e7fcde13568227abe8a6bbb9b1
Instruction Fuzzy Hash: 1E810771A00209AFCB04DF94C988EEEB7B9FF89315F214558E506EB250DB71AE06CF64

Function 0088A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0088A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0088A6BA

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Process32NextW.KERNEL32(00000000,?), ref: 0088A79C
CloseHandle.KERNEL32(00000000), ref: 0088A7AB

Part of subcall function 0081CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00843303,?), ref: 0081CE8A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 52e81d604ecd912b7eb46072ad406330666dfca0d62d7ad6b82a5ade3aa584a2
Instruction ID: ba083f29aab7e8c95c1382f5c5d8a38e215a94b948e723975d3fecd015b91d1b
Opcode Fuzzy Hash: 52e81d604ecd912b7eb46072ad406330666dfca0d62d7ad6b82a5ade3aa584a2
Instruction Fuzzy Hash: 965118715083019FD754EF28C886A6BBBE8FF89754F00892DF585D7292EB70D904CB92

Function 00841391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008414C0

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6ac7d2a17e89899b7b32bd03a8aa5652b45ef123e6844fee17460c683761c134
Instruction ID: 4275f61880635cfd59fb4fde28ada4b445fe1e8fbe8f26715e4d371aadde1a29
Opcode Fuzzy Hash: 6ac7d2a17e89899b7b32bd03a8aa5652b45ef123e6844fee17460c683761c134
Instruction Fuzzy Hash: E9412C31A0011CABDF217BBD9C49AAE3AB6FF42370F144225F519D6292E77448C196A7

Function 00896278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008962E2
ScreenToClient.USER32(?,?), ref: 00896315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00896382

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b82fb5b5826d88d7f20ee03d42aa81d2e5819ee130c10c3756efeb47e303cbd1
Instruction ID: de1d560f90dcd03baa5e4f2b34739c4817fa72a227610e47e9668f95bb415026
Opcode Fuzzy Hash: b82fb5b5826d88d7f20ee03d42aa81d2e5819ee130c10c3756efeb47e303cbd1
Instruction Fuzzy Hash: 8C512A74A00209AFDF10EF68D8909AE7BB5FF45360F14826AF815DB290E731AD91DB50

Function 00881AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00881AFD
WSAGetLastError.WSOCK32 ref: 00881B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00881B8A
WSAGetLastError.WSOCK32 ref: 00881B94

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: a4beb9041e71e2c3263480c8dde84c43131ebfaf10aca5de522992ba3efeb59e
Instruction ID: 91d999376dcbdcd68f6bc4ad817a03bf3c5187cd2f1ac3f2d25a6c534b77f577
Opcode Fuzzy Hash: a4beb9041e71e2c3263480c8dde84c43131ebfaf10aca5de522992ba3efeb59e
Instruction Fuzzy Hash: FE4160746002006FEB20AF28C886F6577E5FB44718F548558F51ADF3D2DA72DD828B91

Function 0083B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b58be1daac30fcb4dc9668e6a14f0d654524aeb3310222dec4a12f17077d6a9
Instruction ID: cbcdcd003b52a90d12bb4d9b9bc3cf5dbbb95c8283ddcb1950d7d8f4c52e0493
Opcode Fuzzy Hash: 0b58be1daac30fcb4dc9668e6a14f0d654524aeb3310222dec4a12f17077d6a9
Instruction Fuzzy Hash: 054104B5A00318AFD7249F7CCC41BAABBA9FBC8720F10852AF241DB682D771994187C5

Function 008756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00875783
GetLastError.KERNEL32(?,00000000), ref: 008757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008757FA

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 41e32aadbb30920ec7ce270c2d6fae889afdd8cc3ad901bc754c71417821411f
Instruction ID: a5b2dda8c6b092f567663782a24c170b67991b61713a3af8cec20801b746e20c
Opcode Fuzzy Hash: 41e32aadbb30920ec7ce270c2d6fae889afdd8cc3ad901bc754c71417821411f
Instruction Fuzzy Hash: 12412F35600610DFCB11EF59C944A5EBBE1FF49320B19C498E84A9B3A6CB75FD40CB92

Function 0083D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00826D71,00000000,00000000,008282D9,?,008282D9,?,00000001,00826D71,8BE85006,00000001,008282D9,008282D9), ref: 0083D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0083D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0083D9AB
__freea.LIBCMT ref: 0083D9B4

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3c37ad76c3bebf746788f84bf08fe78b6556e2d84097e570c65b8706c7ab29c7
Instruction ID: 3d7942a413fcebec472e03e41162bc5252c0285a973aaaf8546fa41562fe00fa
Opcode Fuzzy Hash: 3c37ad76c3bebf746788f84bf08fe78b6556e2d84097e570c65b8706c7ab29c7
Instruction Fuzzy Hash: 4C31CD72A0021AABDF259F69EC45EAE7BA5FB80310F050168FC04DB250EB35CD50CBE0

Function 008952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00895352
GetWindowLongW.USER32(?,000000F0), ref: 00895375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00895382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008953A8

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: a6b2d6c39f32eceac37457dc8f0bc61154a1f6ce9c045a9e6df374c64538f038
Instruction ID: 25e4b9972b9a3d8a2ec8b5b039c5cdc937f0280b3d604f512d1fe3ed67767379
Opcode Fuzzy Hash: a6b2d6c39f32eceac37457dc8f0bc61154a1f6ce9c045a9e6df374c64538f038
Instruction Fuzzy Hash: 5D31CF34A55A0CEFEF22BA54CC15BE97765FB06390F5C4102FA11D63E1C7B19980BB42

Function 0086AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0086ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0086AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0086AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0086ACC6

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b06043590e8686e1a10b97054ac7d59a61860b15abf239b87057323c9e9b4671
Instruction ID: aa8f958111d47c826776497e0ffbb549152acd52d0109538d5587b16557520b5
Opcode Fuzzy Hash: b06043590e8686e1a10b97054ac7d59a61860b15abf239b87057323c9e9b4671
Instruction Fuzzy Hash: 50310630A00618AFEF39CB69CC05BFA7BA9FB89310F09431AE485E61D1C37599859B53

Function 00897674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0089769A
GetWindowRect.USER32(?,?), ref: 00897710
PtInRect.USER32(?,?,00898B89), ref: 00897720
MessageBeep.USER32(00000000), ref: 0089778C

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d78d9d33785ecaf5e966adce49508d2f4447e236e22e8b50c98243d63f7935c9
Instruction ID: 1241753c1698f5aa440d3bd02bcb1abaf11708a56d469cc7bd1313b8070d091e
Opcode Fuzzy Hash: d78d9d33785ecaf5e966adce49508d2f4447e236e22e8b50c98243d63f7935c9
Instruction Fuzzy Hash: F1419A34A19254FFDF01EF98C898EA9BBF4FF89304F5941A9E814DB261C331A941CB90

Function 008916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008916EB

Part of subcall function 00863A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00863A57
Part of subcall function 00863A3D: GetCurrentThreadId.KERNEL32 ref: 00863A5E
Part of subcall function 00863A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008625B3), ref: 00863A65

GetCaretPos.USER32(?), ref: 008916FF
ClientToScreen.USER32(00000000,?), ref: 0089174C
GetForegroundWindow.USER32 ref: 00891752

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d713fc50b632530461b2692ba9e966b87ae53e3d3b7caf5dc6e43bed60ec6145
Instruction ID: a2e83ad5022668c956182ce52d8562387c45f25b7d12ae48008350b30884a614
Opcode Fuzzy Hash: d713fc50b632530461b2692ba9e966b87ae53e3d3b7caf5dc6e43bed60ec6145
Instruction Fuzzy Hash: 00313075D00149AFDB00EFA9C885CAEBBF9FF48304B5480AAE415E7251EB31DE45CBA1

Function 0086DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

_wcslen.LIBCMT ref: 0086DFCB
_wcslen.LIBCMT ref: 0086DFE2
_wcslen.LIBCMT ref: 0086E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0086E018

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: a459d694b88df6f9288d949e2c351600acb2df027e4bf3276eabbae4ed4e5051
Instruction ID: b9580ced354b28b545313640730c9e629faa275d0524ce7aa89210170ae1ea71
Opcode Fuzzy Hash: a459d694b88df6f9288d949e2c351600acb2df027e4bf3276eabbae4ed4e5051
Instruction Fuzzy Hash: CA21D675D00614EFCB10DFA8D881BAEBBF8FF45750F154065E905FB242D6B09D818BA2

Function 00898FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

GetCursorPos.USER32(?), ref: 00899001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00857711,?,?,?,?,?), ref: 00899016
GetCursorPos.USER32(?), ref: 0089905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00857711,?,?,?), ref: 00899094

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bab5037c7b682ab12b89b7640d540bc70e6d462e3f3a5c6eb069c3535c93917d
Instruction ID: ad60f25838247e32d7907ec14cd123c06d4c72281b393e8ae2158fd566dc5d1d
Opcode Fuzzy Hash: bab5037c7b682ab12b89b7640d540bc70e6d462e3f3a5c6eb069c3535c93917d
Instruction Fuzzy Hash: F1218D35600418FFCF25AF99CC58EEA7BB9FF49360F09416AF95587261C33299A0DB60

Function 0086D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0089CB68), ref: 0086D2FB
GetLastError.KERNEL32 ref: 0086D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0086D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0089CB68), ref: 0086D376

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9bba62d7fd773695897fdefd69567ca4095d7f852317cf510fd76a20eee71ff3
Instruction ID: 5f7be83541876c4be11a68fbcb6c2df4a6fda754e2bcba3697bcaa90ccbe0a58
Opcode Fuzzy Hash: 9bba62d7fd773695897fdefd69567ca4095d7f852317cf510fd76a20eee71ff3
Instruction Fuzzy Hash: F7218D70A083019FC710EF28C98186A77E8FE56328F554A1EF4A9C73E1E7319946CB93

Function 00861571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00861014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0086102A
Part of subcall function 00861014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00861036
Part of subcall function 00861014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861045
Part of subcall function 00861014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0086104C
Part of subcall function 00861014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008615BE
_memcmp.LIBVCRUNTIME ref: 008615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00861617
HeapFree.KERNEL32(00000000), ref: 0086161E

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bf725af4a2ebb4187c1e20de9b47e4fb43480aaeefca1ba092ba7b3128a6e9e2
Instruction ID: b0e36e3fc92bd6b443b6c9305953043f88603717fc9e0d949920b5411caa44d8
Opcode Fuzzy Hash: bf725af4a2ebb4187c1e20de9b47e4fb43480aaeefca1ba092ba7b3128a6e9e2
Instruction Fuzzy Hash: 87216631E00108AFDF00DFA8C94ABEEB7B8FF54354F1A4459E441EB242E731AA05CBA0

Function 00892782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0089280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00892824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00892832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00892840

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 61748d6c541293d2efb321a8a6ad9f342f0773635b32e17ef4863c493f94a95e
Instruction ID: 6bfb5443dda7ac89b470ffb5aba7dea9be339d489462c221e4366cfe6fd59ac2
Opcode Fuzzy Hash: 61748d6c541293d2efb321a8a6ad9f342f0773635b32e17ef4863c493f94a95e
Instruction Fuzzy Hash: 6221AE31204115BFDB14AB28CC44FAA7B95FF45328F188259F426DB6E2CB71EC42C791

Function 008678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00868D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0086790A,?,000000FF,?,00868754,00000000,?,0000001C,?,?), ref: 00868D8C
Part of subcall function 00868D7D: lstrcpyW.KERNEL32(00000000,?,?,0086790A,?,000000FF,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00868DB2
Part of subcall function 00868D7D: lstrcmpiW.KERNEL32(00000000,?,0086790A,?,000000FF,?,00868754,00000000,?,0000001C,?,?), ref: 00868DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00867923
lstrcpyW.KERNEL32(00000000,?,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00867949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00867984

Strings

cdecl, xrefs: 0086797B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 525f1f18b84d34b749721488488d0e8aa5bc292b66e404fb222d7b282bfe7330
Instruction ID: 06b1211184ea564ee6da46711cdc77693269974dd96599a571038b8fa8a4b678
Opcode Fuzzy Hash: 525f1f18b84d34b749721488488d0e8aa5bc292b66e404fb222d7b282bfe7330
Instruction Fuzzy Hash: FA11293A200301ABCB156F38C844D7A7BE9FF85354B40402AF906CB364EB35D811C7A1

Function 00897CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00897D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00897D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00897D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0087B7AD,00000000), ref: 00897D6B

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 8a6574157d49d378d336abb5c20dd92fbe8086262c8cef9371529988eb04d335
Instruction ID: 06ee91184c9b10692f92cfc1d1fbc258c7ba82fc7e43459d784c2ab5d36351ea
Opcode Fuzzy Hash: 8a6574157d49d378d336abb5c20dd92fbe8086262c8cef9371529988eb04d335
Instruction Fuzzy Hash: 8011AC71225614AFCF10AF68CC08AA63BA4FF45364F194329F839C72E0D7318D51CB50

Function 00895660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008956BB
_wcslen.LIBCMT ref: 008956CD
_wcslen.LIBCMT ref: 008956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00895816

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: be75a1d77ea79fd23bb5edc63e807c93ac73b7f3c87fb81080590bcbbea1cf64
Instruction ID: a02577e062458b893fe0bad38fe8d1206af3175d1705751defdabb2310a80124
Opcode Fuzzy Hash: be75a1d77ea79fd23bb5edc63e807c93ac73b7f3c87fb81080590bcbbea1cf64
Instruction Fuzzy Hash: FA11E671600618A6DF22FF65DC85AEE7BBCFF11764F18412AF915E6181E770CA80CB64

Function 00831D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50829d5884532785e36751cc57682c3454854e42dbd28e1bf8528f2efef54520
Instruction ID: 4f4f68f1d692fd71fd756d2fd14f8cfb34fdc76f980a88da9a62a92390f7fa21
Opcode Fuzzy Hash: 50829d5884532785e36751cc57682c3454854e42dbd28e1bf8528f2efef54520
Instruction Fuzzy Hash: 3B016DB220961A7EFA212A787CC5F676B1DFFC2BB8F341326F521E11D2DB619C0051A1

Function 00861A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00861A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00861A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00861A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00861A8A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 451215b0319d7c720ccd5b2b37f408e281a6c0af4ef66e933a2940da8ec69673
Instruction ID: 72f839c25688f10a385da1c96a4b29517dd0ae223be39bf4003bb1d42164dffa
Opcode Fuzzy Hash: 451215b0319d7c720ccd5b2b37f408e281a6c0af4ef66e933a2940da8ec69673
Instruction Fuzzy Hash: E211273A901229FFEF11DBA4C985FADBB78FB08750F250492EA04B7290D7716E50DB94

Function 0086E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0086E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0086E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0086E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0086E24D

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f0d4183d727c6c36b60acd93e7315f330a4932e6756472727a5945ed6775c0e2
Instruction ID: e62af0aa33605046fcd293bcaad68a9f82f58d9aa986a0e3afde2d3366fe8da5
Opcode Fuzzy Hash: f0d4183d727c6c36b60acd93e7315f330a4932e6756472727a5945ed6775c0e2
Instruction Fuzzy Hash: 42110476904218BBCB05AFA8AC09A9E7FADFF45320F044316F824E3390D3B58A0487A0

Function 0082D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0082CFF9,00000000,00000004,00000000), ref: 0082D218
GetLastError.KERNEL32 ref: 0082D224
__dosmaperr.LIBCMT ref: 0082D22B
ResumeThread.KERNEL32(00000000), ref: 0082D249

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d8e6b161935999bc92f513e89511a1ef77cb1392516f91e4ae20525c4cdad1d2
Instruction ID: e9049dd7208509d9427e6897d0c82120cd7b14c7d5c4ca12d8a3eca22a0fa2fb
Opcode Fuzzy Hash: d8e6b161935999bc92f513e89511a1ef77cb1392516f91e4ae20525c4cdad1d2
Instruction Fuzzy Hash: 0E01D636405328FBDB116BA9EC09BAE7E69FF81330F10422AF925D21D1CF719981C6A1

Function 00899EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

GetClientRect.USER32(?,?), ref: 00899F31
GetCursorPos.USER32(?), ref: 00899F3B
ScreenToClient.USER32(?,?), ref: 00899F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00899F7A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0267a0dfc20233d34c0be89947ca92f0d4160a4d136feffa5e8cc7e98bb8ecf6
Instruction ID: 3218d1c87f1b5fb4da985aed47344a41cd06f06c95938e0952251fb7ec32e864
Opcode Fuzzy Hash: 0267a0dfc20233d34c0be89947ca92f0d4160a4d136feffa5e8cc7e98bb8ecf6
Instruction Fuzzy Hash: 1411063290051ABBDF10EFA8D8499EEB7B9FF45311F48055AF952E3150DB31BA81CBA1

Function 0080600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0080604C
GetStockObject.GDI32(00000011), ref: 00806060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0080606A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 237d64e4dc6f2d5b80beec6054107cd9759d6b1e2fd430e2709a7d1bdcd990f4
Instruction ID: e0441524981d65e31eb4fe6c346e1b43fb8817aaadd5f0857719a551987d1fe8
Opcode Fuzzy Hash: 237d64e4dc6f2d5b80beec6054107cd9759d6b1e2fd430e2709a7d1bdcd990f4
Instruction Fuzzy Hash: 64115E72541909BFEF525F949C54EEA7BA9FF18364F040216FA14A2150D7329C709BA0

Function 00823B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00823B56

Part of subcall function 00823AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00823AD2
Part of subcall function 00823AA3: ___AdjustPointer.LIBCMT ref: 00823AED

_UnwindNestedFrames.LIBCMT ref: 00823B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00823B7C
CallCatchBlock.LIBVCRUNTIME ref: 00823BA4

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 57a96f9d232351bcea7ec44e1662ae2104662810588e166a296c8736f95da79f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: B1012932100158BBDF126E99EC42EEB3F6AFF48764F044014FE48A6121C736E9A1DBB1

Function 00833073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008013C6,00000000,00000000,?,0083301A,008013C6,00000000,00000000,00000000,?,0083328B,00000006,FlsSetValue), ref: 008330A5
GetLastError.KERNEL32(?,0083301A,008013C6,00000000,00000000,00000000,?,0083328B,00000006,FlsSetValue,008A2290,FlsSetValue,00000000,00000364,?,00832E46), ref: 008330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0083301A,008013C6,00000000,00000000,00000000,?,0083328B,00000006,FlsSetValue,008A2290,FlsSetValue,00000000), ref: 008330BF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ba0863dc0c575703941acad85aa65f15ba1969855ef1e78dcaa9738ef18ca620
Instruction ID: 6c08a87d50c75a396330122b30597291aa7779989be873d6c845ffe6ec742e8c
Opcode Fuzzy Hash: ba0863dc0c575703941acad85aa65f15ba1969855ef1e78dcaa9738ef18ca620
Instruction Fuzzy Hash: 82012B32301A26ABCB354BB8AC94A577B98FF85B71F240721F905E7150C722D901C6E0

Function 00867464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0086747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00867497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008674CA

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 191a84fa1b27d70f5a69a27d85bcc563d48397bcecf85d1662bec409b5c26c17
Instruction ID: 4f07bd7e1c89738e8567621334a30edc0bcaf40f63d8cdfb301dde3fdaad68ae
Opcode Fuzzy Hash: 191a84fa1b27d70f5a69a27d85bcc563d48397bcecf85d1662bec409b5c26c17
Instruction Fuzzy Hash: CF11EDB0205305ABE7209F14ED0CB927BFCFB00B08F10816AE616D6091DBB1E904CBE4

Function 0086B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B126

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f6c74dadd2710573b1c159377a5c31fadf0222e76ffaae897505c95b9ebcc7bb
Instruction ID: 8ed625704996127aaf883266451de57a698d24dfa44a335e8fdc21b2c3e191b3
Opcode Fuzzy Hash: f6c74dadd2710573b1c159377a5c31fadf0222e76ffaae897505c95b9ebcc7bb
Instruction Fuzzy Hash: E9116131C0151DEBCF00AFE4E9596EEBF78FF4A715F124086D941F2145DB3095908B55

Function 00897E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00897E33
ScreenToClient.USER32(?,?), ref: 00897E4B
ScreenToClient.USER32(?,?), ref: 00897E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00897E8A

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 43126736beebe8cbd66e7b607bc484445fcc169ad4ea8cbcaac8cedef8295438
Instruction ID: c2fad51a09b8545a5c1a7365651bcc8cb0d8a931df1c43e5286267066b3e807e
Opcode Fuzzy Hash: 43126736beebe8cbd66e7b607bc484445fcc169ad4ea8cbcaac8cedef8295438
Instruction Fuzzy Hash: 781142B9D0024AAFDB41DF98C884AEEBBF9FF18310F549066E915E3210D735AA54CF90

Function 00862DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00862DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00862DD6
GetCurrentThreadId.KERNEL32 ref: 00862DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00862DE4

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3bbc4af23fb6969083679893f592decf53432d37e323752289e40880dfe3b0e3
Instruction ID: 7f4d1dd98cef51dab3f825fa3cdeebf3abbce7582079d21d20d0bc118169e8ea
Opcode Fuzzy Hash: 3bbc4af23fb6969083679893f592decf53432d37e323752289e40880dfe3b0e3
Instruction Fuzzy Hash: 1FE092B11016287BDB202B739C0DFEB3E6CFF52BA1F45055AF106D10909AA2C840C6B0

Function 00898863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00819639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00819693
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196A2
Part of subcall function 00819639: BeginPath.GDI32(?), ref: 008196B9
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00898887
LineTo.GDI32(?,?,?), ref: 00898894
EndPath.GDI32(?), ref: 008988A4
StrokePath.GDI32(?), ref: 008988B2

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 875e789f8608da76eaf419c8e919eec827795199dee94b5204ffdd31a0a86b9d
Instruction ID: 7b922cdc4c534b7fb871ba14ef656f66f4f30b1cb535a229a5bebe303eed893e
Opcode Fuzzy Hash: 875e789f8608da76eaf419c8e919eec827795199dee94b5204ffdd31a0a86b9d
Instruction Fuzzy Hash: 4BF03A36042659FADF127F94AC0DFCA3F59BF06310F488102FA11A50E1C7765551CBB9

Function 008198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008198CC
SetTextColor.GDI32(?,?), ref: 008198D6
SetBkMode.GDI32(?,00000001), ref: 008198E9
GetStockObject.GDI32(00000005), ref: 008198F1

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 97ffb403a42fcb46453fd1009a5442cdb8d23d839c9651d44c653eb2ed29ea68
Instruction ID: 50fffd5f3a35eb52083ccec8e3cf2c603429e597713bd657bf6c6ee831a1c7cb
Opcode Fuzzy Hash: 97ffb403a42fcb46453fd1009a5442cdb8d23d839c9651d44c653eb2ed29ea68
Instruction Fuzzy Hash: 19E06531244240ABDB216B74BC09BD83F10FB11336F08C21AF7FA940E1C77246449B10

Function 0086162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00861634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008611D9), ref: 0086163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008611D9), ref: 00861648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008611D9), ref: 0086164F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: af96083f4ee5a5954e4a1b4e5732535c16f90606ec955e242e4d8fadc7029e2a
Instruction ID: 132fc47aebb1da762e8ec8f610bd99aa8a68bbf17e103d922ab1a52981c61662
Opcode Fuzzy Hash: af96083f4ee5a5954e4a1b4e5732535c16f90606ec955e242e4d8fadc7029e2a
Instruction Fuzzy Hash: BBE08C36602211EBDB202FE1AE0EB863B7CFF54792F1D880AF245C9080E6358440CB60

Function 0085D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0085D858
GetDC.USER32(00000000), ref: 0085D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0085D882
ReleaseDC.USER32(?), ref: 0085D8A3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8e1889562a010ce147d0f3ecb67a6040ae95fc013926f88f20c9204d386840d4
Instruction ID: 3ddd6da0ec06de87f3a537d7b80321c8b514de4f082c354e86a01086b273d8a1
Opcode Fuzzy Hash: 8e1889562a010ce147d0f3ecb67a6040ae95fc013926f88f20c9204d386840d4
Instruction Fuzzy Hash: A0E01AB1800205DFCF42AFA0D80866DBBB5FB18311F18841AE806E7250CB3A9945AF51

Function 0085D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0085D86C
GetDC.USER32(00000000), ref: 0085D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0085D882
ReleaseDC.USER32(?), ref: 0085D8A3

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5841a565cbdcce25d4502059b02644b5be764c9a86b4818a9b2b33b9f2c1c475
Instruction ID: 21eb97bb661c07369737cd54813e66b12010b6e2ebcd9800c521f8d48ed3022d
Opcode Fuzzy Hash: 5841a565cbdcce25d4502059b02644b5be764c9a86b4818a9b2b33b9f2c1c475
Instruction Fuzzy Hash: 7DE012B1800204EFCF42AFA0D80866DBBB5FB18310F18800AE80AE7250CB3A9901AF50

Function 00874D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00874ED4

Strings

LPT, xrefs: 00874DFB
*, xrefs: 00874E10

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 33d6fd87bed5021d18ac2cc7dff1058e62ed4f30e483f48a7fd2d2fc5a1d40b3
Instruction ID: 560f95e09a76289c108a649241d84148fabda621ff3eff7c12c9ca592cba90d8
Opcode Fuzzy Hash: 33d6fd87bed5021d18ac2cc7dff1058e62ed4f30e483f48a7fd2d2fc5a1d40b3
Instruction Fuzzy Hash: D8914C75A002049FCB14DF58C884EA9BBF1FF44318F19D099E40A9B3A6DB71ED85CB91

Function 0082E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0082E30D

Strings

pow, xrefs: 0082E2E5, 0082E302

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 9d6b3abadc9c9bae251832981583a67e3a6802af8d40b2f9ac69096d289436b6
Instruction ID: cdecedc928b9e3e0eea04b37a48fc4cd4ada1bebd842e984ce279fb5c1468b71
Opcode Fuzzy Hash: 9d6b3abadc9c9bae251832981583a67e3a6802af8d40b2f9ac69096d289436b6
Instruction Fuzzy Hash: B2515CA1A0C10696DB35B718E9053793B94FF80B41F304968E496C27EDDF35CCD19ACA

Function 0081E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0081E1B1

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 587d8d732d646f83363f8288656b6e54f3b3dca3a07d35d8054798e34c02510d
Instruction ID: 30da81b18b43c44b5224f22af6b4fc4c2b3a2a1c1b454008d1a1e704167722eb
Opcode Fuzzy Hash: 587d8d732d646f83363f8288656b6e54f3b3dca3a07d35d8054798e34c02510d
Instruction Fuzzy Hash: 5C51317590025ADFDB19DF28C891AFA7BA9FF19311F244059FC91DB2C0D6309E86CBA1

Function 0081F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0081F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0081F2BB

Strings

@, xrefs: 0081F2AF

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 52bf6ba008d42364ce297f5a60d70eb737cdd33ea9e925cbc1dfe7e428a27a64
Instruction ID: aa7d59a2a8fdc163b82e70fce5cd6ffd762f1cd1a4452604f2101694a1bb4cf4
Opcode Fuzzy Hash: 52bf6ba008d42364ce297f5a60d70eb737cdd33ea9e925cbc1dfe7e428a27a64
Instruction Fuzzy Hash: 7E516871418B459BE320AF14DC86BABBBF8FB84300F81495DF29981195EF709529CB67

Function 00885745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008857E0
_wcslen.LIBCMT ref: 008857EC

Strings

CALLARGARRAY, xrefs: 008857E6, 008857EB

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 5493c9039cca408db71014e56a8ef83cc54005823513d90acdb4df0ccf75fea2
Instruction ID: 1e72271f667a55dd6ec4935f2d7ee5d12ec6a467d1b70479940d2cac799cfe62
Opcode Fuzzy Hash: 5493c9039cca408db71014e56a8ef83cc54005823513d90acdb4df0ccf75fea2
Instruction Fuzzy Hash: 3D419F31E002099FCB14EFA9C8819EEBBB5FF59724F14406AE505E7292E7709D81CBA1

Function 0087D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0087D13A

Strings

|, xrefs: 0087D10B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6c2e81f2bbeea06d80f20ce61646f47672b823711f86a7edeef4324b5b5a1ff0
Instruction ID: 4737ce9d027a86c2d5aeaebc8f550e2242969397b18714dc15330ca66c82f32c
Opcode Fuzzy Hash: 6c2e81f2bbeea06d80f20ce61646f47672b823711f86a7edeef4324b5b5a1ff0
Instruction Fuzzy Hash: A8311C71D01219ABCF55EFA4CC85AEEBFB9FF04300F504019F819E6166E731A956CB61

Function 0089356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00893621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0089365C

Strings

static, xrefs: 008935BC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 894b4ed8674651b033e624319c58f71cca9eb9ed1950adfeb0ef64f8bf32fbac
Instruction ID: 5e68ed8a444419e6b8f2c6b03bf821148d255d115e7adf86461afb7cc3904039
Opcode Fuzzy Hash: 894b4ed8674651b033e624319c58f71cca9eb9ed1950adfeb0ef64f8bf32fbac
Instruction Fuzzy Hash: 66318D71100604AEDF11EF68DC80EFB73A9FF98724F048619F8A5D7280DA31AD91D760

Function 00894537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0089461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00894634

Strings

', xrefs: 0089458E

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 504b3ff00e65e84ad99ba8f618730ee92ca2798985dbafbda255d528c6290042
Instruction ID: 8cf165159863e897f1ae8023b8b08a852d8c0615c1b3a43485589e872f0ab28a
Opcode Fuzzy Hash: 504b3ff00e65e84ad99ba8f618730ee92ca2798985dbafbda255d528c6290042
Instruction Fuzzy Hash: 413117B4A0120AAFDF14DFA9C990BDABBB5FF09300F15516AE905EB341D770A942CF90

Function 008931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0089327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00893287

Strings

Combobox, xrefs: 00893249

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 36ea2754e4ec93b264764d437b220900d10e53691410ec04297b488b4d16be27
Instruction ID: bb3e0cd527978fe8a8804a1dd3d133c169659f0275b0f186aaaf824cc61a8643
Opcode Fuzzy Hash: 36ea2754e4ec93b264764d437b220900d10e53691410ec04297b488b4d16be27
Instruction Fuzzy Hash: 1711B2713002087FFF25AF94DC84EBB376AFB94365F144129F918E7290D6319D518760

Function 00893710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0080600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0080604C
Part of subcall function 0080600E: GetStockObject.GDI32(00000011), ref: 00806060
Part of subcall function 0080600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0080606A

GetWindowRect.USER32(00000000,?), ref: 0089377A
GetSysColor.USER32(00000012), ref: 00893794

Strings

static, xrefs: 00893757

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a237170771fd3a8dbe1a78757abd649abc9863a2809bbb22dfa799cf377cf763
Instruction ID: 2f4685d0aac21f2f8307776377cb9f936074a35e7aaecc7b60abb7d2c836643e
Opcode Fuzzy Hash: a237170771fd3a8dbe1a78757abd649abc9863a2809bbb22dfa799cf377cf763
Instruction Fuzzy Hash: 971129B2610209AFDF01EFA8CC45AFA7BB8FB08314F044925F955E2250E735E8619B50

Function 0087CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0087CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0087CDA6

Strings

<local>, xrefs: 0087CD66

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f0be2a1c8c50dc760c2485a00c0e9a57aec9e039362e3d5888d1e130c20d6fce
Instruction ID: 10ef4d07e697c9a8baa434b89c5372517d136f9b0f5a1cdff11a584b0c501401
Opcode Fuzzy Hash: f0be2a1c8c50dc760c2485a00c0e9a57aec9e039362e3d5888d1e130c20d6fce
Instruction Fuzzy Hash: 8F11A071205635BAD7384AA68C89EE7BEA8FB127A8F00822EB10DC3184D674D840D6F0

Function 00893429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008934BA

Strings

edit, xrefs: 0089348F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ac3fdcbdae4ebb63deb7700ab94449667aa0126831963ad20406941f428a065f
Instruction ID: d1b6d4b552b483437ff68152d74004a279cd491fdf9da92607cad85f97b2578c
Opcode Fuzzy Hash: ac3fdcbdae4ebb63deb7700ab94449667aa0126831963ad20406941f428a065f
Instruction Fuzzy Hash: 85119D71100108AAEF12AE64DC44AAA37AAFB25378F554324F961D31D0C732ED519768

Function 00866C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

CharUpperBuffW.USER32(?,?,?), ref: 00866CB6
_wcslen.LIBCMT ref: 00866CC2

Strings

STOP, xrefs: 00866CBC, 00866CC1

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 39d140c8f93d4fcae6b4ee9d534ea28d6b8f890c41569a1fe73ae13ba4914e6c
Instruction ID: d3dda77b3eecfc451da0f7dabf6073d7852bc3dae7efa55c79ca42c5d2d2091d
Opcode Fuzzy Hash: 39d140c8f93d4fcae6b4ee9d534ea28d6b8f890c41569a1fe73ae13ba4914e6c
Instruction Fuzzy Hash: 2501C432A1096A8ACB21AFBDDC809BF77B5FF61714B120528E862D6191FA32D960C650

Function 00861CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00861D4C

Strings

ListBox, xrefs: 00861D16
ComboBox, xrefs: 00861CEB

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2df13f255686c8ab56cc1bc8e471a2ce0e2c6a81f8de6ad9a2ca7894168c3e22
Instruction ID: 6a01332b6d63f022957dc2f2eb1af2041aab77c4a9dce760caf38fb5e34dbad4
Opcode Fuzzy Hash: 2df13f255686c8ab56cc1bc8e471a2ce0e2c6a81f8de6ad9a2ca7894168c3e22
Instruction Fuzzy Hash: 0601D871601218ABCF44EBA8CC55DFE7768FF56350F080519F872E73C2EA3159088761

Function 00861BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00861C46

Strings

ListBox, xrefs: 00861C10
ComboBox, xrefs: 00861BE5

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c494108e1e3c74ab646bb898aa35d5b45b5a7c8dde97c6694b2aafcd7208b0c3
Instruction ID: bcd2bdf5a72d6a4bb9899960583e601d2b129585b84231c0371f8336e87b86bf
Opcode Fuzzy Hash: c494108e1e3c74ab646bb898aa35d5b45b5a7c8dde97c6694b2aafcd7208b0c3
Instruction Fuzzy Hash: F401B171A8010866CF05EB94CD56AFF77A8FB21340F190019E456E32C2EA209E1896B2

Function 00861C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00861CC8

Strings

ListBox, xrefs: 00861C94
ComboBox, xrefs: 00861C69

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: dbb4b20cbe7bfb15a85dd309e9ea4405f0b680690a85069d62653847f9fae5ad
Instruction ID: 97f1af695585f01dd8f38c76d10add04accd16b8a14787d54762ab0196e21954
Opcode Fuzzy Hash: dbb4b20cbe7bfb15a85dd309e9ea4405f0b680690a85069d62653847f9fae5ad
Instruction Fuzzy Hash: 0B01A2B1A8011866DF14EBA8CE05EFF77A8FB11340F190019B842F32C3EA219F08D672

Function 00861D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00861DD3

Strings

ListBox, xrefs: 00861DA0
ComboBox, xrefs: 00861D75

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a853b8e5e49771a676924a0e9cb6b59006457064d73677f418e23da97dc0dcf5
Instruction ID: 59ac708b54c17d1f94dd8662ba431658b50fabdfa869aaccb18b5663c7b0c440
Opcode Fuzzy Hash: a853b8e5e49771a676924a0e9cb6b59006457064d73677f418e23da97dc0dcf5
Instruction Fuzzy Hash: 1DF08171A4121866DB04A7A8CC56FFF7778FB11350F090919F862E32C2DA60AA088361

Function 0088747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00887493
_wcslen.LIBCMT ref: 008874B9

Strings

3, 3, 16, 1, xrefs: 00887483

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 84506b8fc46cac3dfc3d7dc7d321f89ddc2adf85e0ed315a46b00c490b5ec228
Instruction ID: efadeb4b3d22f665e556b9c50f7e805f6ec9fdd0375f1483e078fe0b3f815b07
Opcode Fuzzy Hash: 84506b8fc46cac3dfc3d7dc7d321f89ddc2adf85e0ed315a46b00c490b5ec228
Instruction Fuzzy Hash: D7E02B02204230109231327DACC1A7F5A99FFC5750734282BF985D2276EAD4CDD193B6

Function 00860B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00860B23

Strings

Error allocating memory., xrefs: 00860B1C
AutoIt, xrefs: 00860B17

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: b3bc4e09dcfd59ca30c7bd9bea121f1eee551d65b2daa32cddb2a841fae65c7e
Instruction ID: 1359df5513aee643b001c521bbe2296da153dfd2078ec99424c046e8e8297c9e
Opcode Fuzzy Hash: b3bc4e09dcfd59ca30c7bd9bea121f1eee551d65b2daa32cddb2a841fae65c7e
Instruction Fuzzy Hash: 5AE0483124431836D61537987C03FD97E88FF05B65F14446AF798D95C38AE264E056BA

Function 00820D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0081F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00820D71,?,?,?,0080100A), ref: 0081F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0080100A), ref: 00820D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0080100A), ref: 00820D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00820D7F

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: dc6b99b62c5fdfc62dd2f5d3c2fd1bedee2c3e7c0f9301b94a44320d5dc69fa3
Instruction ID: 8c2808eb2d02d1b811386a1cbe24f32116129fc638502573066ece1199ba322b
Opcode Fuzzy Hash: dc6b99b62c5fdfc62dd2f5d3c2fd1bedee2c3e7c0f9301b94a44320d5dc69fa3
Instruction Fuzzy Hash: 83E06D702017518BD760AFFCE8083467BE4FF00740F044A2EE582C6652DBB5E4888F91

Function 00873017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0087302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00873044

Strings

aut, xrefs: 00873038

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b7e29768a778d72841e2cfc4be78284963798d73d678bd970f22865a3a26d770
Instruction ID: e3c1315efbe73427d03b54aa80797e60b1aabab7971044bfc9b6fb963ba77463
Opcode Fuzzy Hash: b7e29768a778d72841e2cfc4be78284963798d73d678bd970f22865a3a26d770
Instruction Fuzzy Hash: C2D05E7250032877DA20A7E4AC0EFCB3B6CEB04750F0002A2B655E2091EAB5D984CAE0

Function 0085D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0085D220

Strings

X64, xrefs: 0085D2A8
%.3d, xrefs: 0085D22B

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 65635e7c3c333a565ef2dea759344dd2ceca1016fc781564f595eaff4a039a90
Instruction ID: 82ebf2e436e697812ab780b1194ccd3c50eb0a7f7034d2e7a743619b4ab795ec
Opcode Fuzzy Hash: 65635e7c3c333a565ef2dea759344dd2ceca1016fc781564f595eaff4a039a90
Instruction Fuzzy Hash: 95D0127580830CE9CB6097E0CC459F9B37CFF08306F908456FD06D1041D634E58CAB62

Function 00892322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0089232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0089233F

Part of subcall function 0086E97B: Sleep.KERNEL32 ref: 0086E9F3

Strings

Shell_TrayWnd, xrefs: 00892325

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 52836cfca81a59dc4745bc4b4e84eb203b792d09179321a0c7f2977492664187
Instruction ID: 36859f35ded1d2a0d9e680eb972b3c4ee392bb07fd7d16a379ae0603df32265d
Opcode Fuzzy Hash: 52836cfca81a59dc4745bc4b4e84eb203b792d09179321a0c7f2977492664187
Instruction Fuzzy Hash: BCD0C936394310B6E6A4B7709C4FFC66A24BF10B10F054A2A7755EA1D4D9B5A8118A54

Function 00892356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0089236C
PostMessageW.USER32(00000000), ref: 00892373

Part of subcall function 0086E97B: Sleep.KERNEL32 ref: 0086E9F3

Strings

Shell_TrayWnd, xrefs: 00892365

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 921ac969ae1008f37ba2d7c1a9d6555043e95f55ecf021c3c5302fb77e1096b4
Instruction ID: fb497b0ccc96818c90d4456fe7d37c25b8775d9f3a3d31e8f8b511cf71e0d53a
Opcode Fuzzy Hash: 921ac969ae1008f37ba2d7c1a9d6555043e95f55ecf021c3c5302fb77e1096b4
Instruction Fuzzy Hash: 64D0C9363813107AE6A4B7709C4FFC66A24BB14B10F054A2A7755EA1D4D9B5A8118A54

Function 0083BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0083BE93
GetLastError.KERNEL32 ref: 0083BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0083BEFC

Memory Dump Source

Source File: 00000000.00000002.1799471202.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1799409628.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799609350.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799711735.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799781500.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 4ef2a8efa833988a0dd58039972ff77f2781da3fb3ed77b5363a3b7abea52b06
Instruction ID: 7ada22fd652caf26fd0b1fc8b2855e043cb7addf9dc816a1b595ceef77e4101e
Opcode Fuzzy Hash: 4ef2a8efa833988a0dd58039972ff77f2781da3fb3ed77b5363a3b7abea52b06
Instruction Fuzzy Hash: 624107B4600216EFCF219F69DC54ABA7BA4FF81310F14516AFA59DB1A1DF308C00CBA1

Analysis Process: firefox.exePID: 7452, Parent PID: 5080COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000017C4741A6B7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000017C4741A6DC

Memory Dump Source

Source File: 00000010.00000002.3006484623.0000017C47417000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017C47417000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c47417000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: c335243af9409c03482e2705535f9f265f10413a8f96abd8e7105c5be99543ad
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 7BA3C231618A598BDB2DEF28DC996F973E5FB95300F04522ED94BC7251DF30EA428AC1

Function 0000017C47412769 Relevance: .1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.3006484623.0000017C47411000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017C47411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c47411000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f4482da11a9cb600ede330be5e944646934648c58a466c6f5ffee562e49a23
Instruction ID: 762764ea7d2ff24e20f276574ae93a88c1e098496d4d823828c57fe6f8cfc145
Opcode Fuzzy Hash: 28f4482da11a9cb600ede330be5e944646934648c58a466c6f5ffee562e49a23
Instruction Fuzzy Hash: 1421813150CB8C4FD755EF28C844A56BBE0FB6A314F1546AFE09AC32A2D734D9458782

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1911798391.00000204E7DF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885561992.00000204E7DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1962163694.00000204EA8E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958168677.00000204EA8DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932702381.00000204EA8DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1819838568.00000204E6E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1962163694.00000204EA8E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966160123.00000204E7765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958168677.00000204EA8DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1969504842.00000204E716E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1969504842.00000204E716E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1819838568.00000204E6E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3001562041.0000017C46E0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3002386355.0000026834E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3001562041.0000017C46E0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3002386355.0000026834E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3001562041.0000017C46E0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3002386355.0000026834E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1962163694.00000204EA8E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961949998.00000204EAD3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966160123.00000204E7765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1961949998.00000204EAD3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941140632.00000204EAD0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1966838333.00000204E72BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49856 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_187fa713-2933-479c-817c-8d6638736cbe.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_187fa713-2933-479c-817c-8d6638736cbe.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre