Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545032
MD5:	17119cd02b34bddf9d552169f1fce6a0
SHA1:	f749847ac71e85256ba23e722f9f84637c9d54ff
SHA256:	4c46b832b2a36c757950ce90dab4e6a11fa583a5374da8e69bb77e713c190f1d
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 17119CD02B34BDDF9D552169F1FCE6A0)

taskkill.exe (PID: 6284 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4320 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6504 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5836 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1020 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3364 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2972 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2200 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5416 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e207330-ecfa-49ad-8e7c-41356c0cd337} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3c8b71110 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7240 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3632 -parentBuildID 20230927232528 -prefsHandle 3500 -prefMapHandle 3512 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9511543d-a1a3-4026-862f-b022304d1792} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3c8b8ff10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7748 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2772 -prefMapHandle 5088 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ec730ef-4625-445b-87e7-6970859cdae0} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3e0ef8910 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2106080741.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 7160	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_009CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009CED6A

Source: C:\Users\user\Desktop\file.exe

0_2_009CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_009BAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_009E9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e4d6035e-c
Source: file.exe, 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_30602752-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_54cca8d0-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_583104ca-9

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A4C85A8BF7 NtQuerySystemInformation,		17_2_000001A4C85A8BF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A4C87186B2 NtQuerySystemInformation,		17_2_000001A4C87186B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_009BD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_009BE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C2046	0_2_009C2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00958060	0_2_00958060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B8298	0_2_009B8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E4FF	0_2_0098E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098676B	0_2_0098676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E4873	0_2_009E4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097CAA0	0_2_0097CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095CAF0	0_2_0095CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096CC39	0_2_0096CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00986DD9	0_2_00986DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009591C0	0_2_009591C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096B119	0_2_0096B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00971394	0_2_00971394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00971706	0_2_00971706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097781B	0_2_0097781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009719B0	0_2_009719B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00957920	0_2_00957920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096997D	0_2_0096997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00977A4A	0_2_00977A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00977CA7	0_2_00977CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00971C77	0_2_00971C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00989EEE	0_2_00989EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DBE44	0_2_009DBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00971F32	0_2_00971F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A4C85A8BF7	17_2_000001A4C85A8BF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A4C87186B2	17_2_000001A4C87186B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A4C8718DDC	17_2_000001A4C8718DDC
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A4C87186F2	17_2_000001A4C87186F2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00959CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00970A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0096F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C37B5 GetLastError,FormatMessageW,

0_2_009C37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B10BF AdjustTokenPrivileges,CloseHandle,		0_2_009B10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009B16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009C51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009BD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_009BD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_009C648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009542A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2192426625.000001F3E4881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193031512.000001F3E43D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2244345385.000001F3E4836000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191693125.000001F3E4D8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192740537.000001F3E4836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e207330-ecfa-49ad-8e7c-41356c0cd337} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3c8b71110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3632 -parentBuildID 20230927232528 -prefsHandle 3500 -prefMapHandle 3512 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9511543d-a1a3-4026-862f-b022304d1792} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3c8b8ff10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2772 -prefMapHandle 5088 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ec730ef-4625-445b-87e7-6970859cdae0} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3e0ef8910 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e207330-ecfa-49ad-8e7c-41356c0cd337} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3c8b71110 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3632 -parentBuildID 20230927232528 -prefsHandle 3500 -prefMapHandle 3512 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9511543d-a1a3-4026-862f-b022304d1792} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3c8b8ff10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2772 -prefMapHandle 5088 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ec730ef-4625-445b-87e7-6970859cdae0} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3e0ef8910 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2223396893.000001F3D60AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 0000000E.00000003.2191353935.000001F3E4DAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191353935.000001F3E4DDC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2219720575.000001F3D6099000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 0000000E.00000003.2191353935.000001F3E4DDC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WinTypes.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb8 source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: firefox.exe, 0000000E.00000003.2191353935.000001F3E4DAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc6.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8softokn3.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.2192265974.000001F3E4B5B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8twinapi.appcore.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.2192265974.000001F3E4B5B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2221269647.000001F3E5433000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.2191253530.000001F3E4DF2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreMessaging.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe, 0000000E.00000003.2191353935.000001F3E4DAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.2192265974.000001F3E4B5B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8imagehlp.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iphlpapi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ExplorerFrame.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.2192265974.000001F3E4B5B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreUIComponents.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8osclientcerts.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cfgmgr32.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iertutil.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2223396893.000001F3D60AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8webauthn.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8powrprof.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ColorAdapterClient.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8MMDevAPI.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8TextInputFramework.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2223396893.000001F3D60AF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2223396893.000001F3D60AF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8InputHost.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8audioses.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netutils.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47mrm.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8rasadhlp.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47Langs.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8wtsapi32.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8taskschd.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2219720575.000001F3D6099000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8fwpuclnt.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2221269647.000001F3E5433000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8OnDemandConnRouteHelper.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netprofm.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Globalization.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8directmanipulation.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8setupapi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8DataExchange.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: psapi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WindowManagementAPI.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: firefox.exe, 0000000E.00000003.2191353935.000001F3E4DAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8npmproxy.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8linkinfo.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.Immersive.pdb source: firefox.exe, 0000000E.00000003.2191090391.000001F3E4E92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 0000000E.00000003.2191353935.000001F3E4DAA000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00970A76 push ecx; ret

0_2_00970A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0096F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009E1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98493

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001A4C85A8BF7 rdtsc

17_2_000001A4C85A8BF7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009BDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098C2A2 FindFirstFileExW,	0_2_0098C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C68EE FindFirstFileW,FindClose,	0_2_009C68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009C698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009BD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009BD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009C9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009C979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009C9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009C5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Source: firefox.exe, 00000012.00000002.3309224379.00000296240DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW03`$
Source: firefox.exe, 00000010.00000002.3310322329.000001FF3366A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW ]
Source: firefox.exe, 00000011.00000002.3314778162.000001A4C85D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: firefox.exe, 00000011.00000002.3314778162.000001A4C85D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: firefox.exe, 00000011.00000002.3309741193.000001A4C7EBA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3314747489.0000029624600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3315787895.000001FF33B1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3314778162.000001A4C85D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: firefox.exe, 00000010.00000002.3316585398.000001FF33C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: firefox.exe, 00000010.00000002.3316585398.000001FF33C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000010.00000002.3316585398.000001FF33C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001A4C85A8BF7 rdtsc

17_2_000001A4C85A8BF7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009CEAA2 BlockInput,

0_2_009CEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00982622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00982622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00974CE8 mov eax, dword ptr fs:[00000030h]

0_2_00974CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_009B0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00982622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00982622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0097083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009709D5 SetUnhandledExceptionFilter,	0_2_009709D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00970C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00970C21

Source: C:\Users\user\Desktop\file.exe

0_2_009B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00992BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00992BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009BB226 SendInput,keybd_event,

0_2_009BB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009D22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_009B0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009B1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00970698 cpuid

0_2_00970698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_009C8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009AD27A GetUserNameW,

0_2_009AD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0098B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2106080741.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7160, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2106080741.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7160, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_009D1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_009D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.193	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.185.238	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.238	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.129.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
example.org	unknown	unknown	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3311460496.00000296245C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2244655007.000001F3E43B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193169244.000001F3E43B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2113041522.000001F3E0A30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233401890.000001F3E0A27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3312307801.000001FF339CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3311017364.000001A4C81E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3314959036.0000029624703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3311460496.000002962458F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2275932022.000001F3E2EC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2124072002.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257897903.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255722344.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194561432.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2194561432.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2193712540.000001F3E21DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2123724861.000001F3E0ED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089550344.000001F3D8C6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089686876.000001F3D8C8A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2267956777.000001F3D95C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122540569.000001F3D95C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2129735197.000001F3DA1CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261014763.000001F3DA1E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122540569.000001F3D95B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267956777.000001F3D95B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2251823222.000001F3E227A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2121268901.000001F3DC09A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256560303.000001F3DC0AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2125285937.000001F3DC09A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258761545.000001F3DC0AF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2089016371.000001F3D8C1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267634732.000001F3DA1A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2088755014.000001F3D8A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261368129.000001F3DA1A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089339953.000001F3D8C53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089184263.000001F3D8C38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089550344.000001F3D8C6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089686876.000001F3D8C8A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2125285937.000001F3DC0F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256414973.000001F3DC0F5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2089016371.000001F3D8C1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2088755014.000001F3D8A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089339953.000001F3D8C53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089184263.000001F3D8C38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089550344.000001F3D8C6F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2202284202.000001F3DB063000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276105226.000001F3E2E52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284198081.000001F3DB063000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2275932022.000001F3E2EC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2276366206.000001F3E22CB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2194561432.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2271979333.000001F3D82D9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2195012106.000001F3E0DC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2202533742.000001F3DAAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122315984.000001F3DAAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285117347.000001F3DAAA4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2234223442.000001F3D6B3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221890075.000001F3D6B1D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2194561432.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3311017364.000001A4C8103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311460496.000002962450C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2152072022.000001F3DAB79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152966543.000001F3DAB5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152794490.000001F3DAB5A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2254732474.000001F3E0ED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194370242.000001F3E0ED1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2124072002.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257897903.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255722344.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194561432.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2244858065.000001F3E22C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193666123.000001F3E22C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276366206.000001F3E22CB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3311460496.00000296245C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2124329532.000001F3E0D4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2152072022.000001F3DAB79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2249868201.000001F3DA31A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2244802712.000001F3E4373000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2267956777.000001F3D95C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122540569.000001F3D95C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261014763.000001F3DA1E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2193712540.000001F3E2146000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2193031512.000001F3E43E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3312307801.000001FF339CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3311017364.000001A4C81E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3314959036.0000029624703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3312307801.000001FF339CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3311017364.000001A4C81E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3314959036.0000029624703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2261014763.000001F3DA1D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3311017364.000001A4C8112000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311460496.0000029624513000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2124072002.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257897903.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255722344.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194561432.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3310989522.00000296244C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2121268901.000001F3DC09A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256560303.000001F3DC0AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2125285937.000001F3DC09A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258761545.000001F3DC0AF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2279069674.000001F3E0DEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195012106.000001F3E0DC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2271979333.000001F3D82C2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2152794490.000001F3DAB5A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2281565473.000001F3DBEA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257975561.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227184299.000001F3DA3D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197901968.000001F3DBE86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249021792.000001F3DA3D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233887047.000001F3D872B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124896412.000001F3E0998000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197555440.000001F3DBEB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249021792.000001F3DA3DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146693151.000001F3D93E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136306607.000001F3DA4F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146693151.000001F3D93C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252858527.000001F3E2228000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2139207890.000001F3DA4F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2099718153.000001F3D90EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202098679.000001F3DB09E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2135312173.000001F3DA4F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124896412.000001F3E09ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198788771.000001F3DB4E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222072392.000001F3D87E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233401890.000001F3E0A7E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2125285937.000001F3DC0F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256414973.000001F3DC0F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2125285937.000001F3DC0F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256414973.000001F3DC0F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2267264310.000001F3E0910000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196891766.000001F3E090F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2202533742.000001F3DAAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122315984.000001F3DAAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244655007.000001F3E43B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193169244.000001F3E43B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197412760.000001F3DBEF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124896412.000001F3E09ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195928518.000001F3E09ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285117347.000001F3DAAA4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2202533742.000001F3DAAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122315984.000001F3DAAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244655007.000001F3E43B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193169244.000001F3E43B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197412760.000001F3DBEF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124896412.000001F3E09ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195928518.000001F3E09ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285117347.000001F3DAAA4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2279069674.000001F3E0DEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195012106.000001F3E0DC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2233401890.000001F3E0A27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2115698748.000001F3D9667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124072002.000001F3E0E1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257897903.000001F3E0E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194561432.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2199292002.000001F3DB3DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2271979333.000001F3D82C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234953674.000001F3D5D73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2152794490.000001F3DAB5A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2202943387.000001F3DA9CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285443880.000001F3DA9D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2153778379.000001F3DA5A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152072022.000001F3DAB79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152671407.000001F3DAB90000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2271979333.000001F3D82C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234953674.000001F3D5D73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234223442.000001F3D6B3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221890075.000001F3D6B1D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2244858065.000001F3E22C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193666123.000001F3E22C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276366206.000001F3E22CB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2195012106.000001F3E0DC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3311790760.000001FF337C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3315013579.000001A4C86D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310667031.00000296242B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2124072002.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257897903.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255722344.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194561432.000001F3E0E44000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2193169244.000001F3E43B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.185.238	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545032
Start date and time:	2024-10-30 02:00:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.185.230.140, 52.11.191.138, 35.160.212.113, 2.22.61.56, 2.22.61.72, 216.58.206.46, 142.250.185.110, 142.250.185.234, 172.217.18.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
21:01:03	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.199.111.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://mailhotcmhakamloops.wordpress.com/	Get hash	malicious	Unknown	Browse	151.101.2.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	LummaC	Browse	185.199.109.133
	https://www.directo.com.bo/dok	Get hash	malicious	Unknown	Browse	151.101.129.229
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	belks.arm.elf	Get hash	malicious	Mirai	Browse	57.44.124.158

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a1a9b383-fe25-46fd-9c87-e869a68c9ed4.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1756563829795414
Encrypted:	false
SSDEEP:	192:OeKMXc+xcbhbVbTbfbRbObtbyEl7nIrQJA6wnSrDtTkd/Se:/PRcNhnzFSJorDjnSrDhkd/D
MD5:	4C9E93A5B73E154E4C81B9F7216A12F5
SHA1:	00F5F0A6F0FECA51FB4074A334617D77A14E6154
SHA-256:	2B6A4960BD3E85B7E8F0F840BAED9213F6DEBE82164811DFCC88E9C04111B131
SHA-512:	87B9C02FE3D113C8FBCE6DD474A48E119A59379656EE618AF0E6846A3B9D29A7D461C635E198EAA0D45F0B5EB4120BAEF29628C9C081DB27C6CBDBA29B519192
Malicious:	false
Preview:	{"type":"uninstall","id":"a1a9b383-fe25-46fd-9c87-e869a68c9ed4","creationDate":"2024-10-30T02:21:51.594Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a1a9b383-fe25-46fd-9c87-e869a68c9ed4.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1756563829795414
Encrypted:	false
SSDEEP:	192:OeKMXc+xcbhbVbTbfbRbObtbyEl7nIrQJA6wnSrDtTkd/Se:/PRcNhnzFSJorDjnSrDhkd/D
MD5:	4C9E93A5B73E154E4C81B9F7216A12F5
SHA1:	00F5F0A6F0FECA51FB4074A334617D77A14E6154
SHA-256:	2B6A4960BD3E85B7E8F0F840BAED9213F6DEBE82164811DFCC88E9C04111B131
SHA-512:	87B9C02FE3D113C8FBCE6DD474A48E119A59379656EE618AF0E6846A3B9D29A7D461C635E198EAA0D45F0B5EB4120BAEF29628C9C081DB27C6CBDBA29B519192
Malicious:	false
Preview:	{"type":"uninstall","id":"a1a9b383-fe25-46fd-9c87-e869a68c9ed4","creationDate":"2024-10-30T02:21:51.594Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.921355589055977
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNyqY96xu:8S+OVPUFRbOdwNIOdYpjvY1Q6LDc8P
MD5:	987DED242F83C488B43F2DEB87BDD598
SHA1:	A999370E4FBBBF126609CB99FBDC05B5B51E183F
SHA-256:	77A2DF53438C553E4E560E56C629DCD87CC50D3C818ACCE8DE36952CFC996987
SHA-512:	096E096D3D03D6F12AE2E7407C6C1716061842CFB46B8E47353CE15A96558FA55CA6C70466FDB858724394593B2D0FF4613C031F5968849B3B98306F628E3141
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.921355589055977
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNyqY96xu:8S+OVPUFRbOdwNIOdYpjvY1Q6LDc8P
MD5:	987DED242F83C488B43F2DEB87BDD598
SHA1:	A999370E4FBBBF126609CB99FBDC05B5B51E183F
SHA-256:	77A2DF53438C553E4E560E56C629DCD87CC50D3C818ACCE8DE36952CFC996987
SHA-512:	096E096D3D03D6F12AE2E7407C6C1716061842CFB46B8E47353CE15A96558FA55CA6C70466FDB858724394593B2D0FF4613C031F5968849B3B98306F628E3141
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07329789247562632
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiez9/:DLhesh7Owd4+jieR
MD5:	6E589CF9E62405F09DDF971DE2CCEC04
SHA1:	94715F4EB1F3AA48CF6F573348E5A31C1A956D0C
SHA-256:	29649F7DC3D01F86BACC785375984F869C21DFE2D413DB6049E034F7F34BB0A1
SHA-512:	8A1FE2C79C43E2EFF9B9CA7BA511AA5E170012E0F90832E381457F58EE1EB80BF250A0545F95E5B8DBFFD28B39765E173427574E4982DA4F3058F8138177766D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.034551466631645426
Encrypted:	false
SSDEEP:	3:GtlstFxTydrqptlstFxTydrqoJ89//alEl:GtWt3ptWt3G89XuM
MD5:	BDF7233BCF9EA8D43F84EBEC409543C3
SHA1:	4E47D3539641965E18F05170370CCF0E07A431F5
SHA-256:	518A55D60BD726E0A4F48687382CF1FD1FD1859F0573449D3A2990D7BD722DB7
SHA-512:	09474985B2D1FAC76A0CD587F4D1C0BCCA98405B0C68AAADF6C41830240C4A45654935FDE336DF41F227DCB5D46312E3DB3E884262860A56E68C0ECB691E7814
Malicious:	false
Preview:	..-........................].n..,...1..`>...y....-........................].n..,...1..`>...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03893339845396495
Encrypted:	false
SSDEEP:	3:Ol1MlGKG91dMAoectwLjvQwl8rEXsxdwhml8XW3R2:KSo91vctyvDl8dMhm93w
MD5:	F01D76C163FDF7EDB816AFD4C76A6944
SHA1:	F6B4CEA332909307E8FE8A731EA47ABE02401713
SHA-256:	759F9C93C2800F27713F1E5542F69485DA98633E8FCAA74A923F0576C6841223
SHA-512:	0110C3658A9529D8452C82ADD739D9A43652A8396252E8671E8B079E4AB1B10F2333F7C7865820C9BFE75EC172727842DEF53EB0C5FB98C6151BDD42181D7B7B
Malicious:	false
Preview:	7....-...........,...1..x./ ..8..........,...1.......n.]................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477203815391236
Encrypted:	false
SSDEEP:	192:enPOeRnLYbBp6QJ0aX+76SEXKrJN7X5RHWNBw8dGSl:0DeZJUumjnHEwV0
MD5:	58CB4EC85C931DF5C0BAD92F88A036FB
SHA1:	F6A8E8DAD5A1BF02AFE5DE491D0F817841FE35E6
SHA-256:	64214F7569ACB44EA0783692E34427EFE6F2C722FA93AD56E7FDD5CB08501C60
SHA-512:	5376052EC053D5FF59C2CC419DFDD54D118D225EAB0341F34BC2B4599EF10950D13090E12C66F2AA8FE65A1FB57EECF24DB5335EA7AF89AB16078BB7B3DCAAD2
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730254882);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730254882);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730254882);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173025

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477203815391236
Encrypted:	false
SSDEEP:	192:enPOeRnLYbBp6QJ0aX+76SEXKrJN7X5RHWNBw8dGSl:0DeZJUumjnHEwV0
MD5:	58CB4EC85C931DF5C0BAD92F88A036FB
SHA1:	F6A8E8DAD5A1BF02AFE5DE491D0F817841FE35E6
SHA-256:	64214F7569ACB44EA0783692E34427EFE6F2C722FA93AD56E7FDD5CB08501C60
SHA-512:	5376052EC053D5FF59C2CC419DFDD54D118D225EAB0341F34BC2B4599EF10950D13090E12C66F2AA8FE65A1FB57EECF24DB5335EA7AF89AB16078BB7B3DCAAD2
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730254882);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730254882);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730254882);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173025

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.3464269049318185
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSILXnIro/pnxQwRcWT5sKmgb0QX3eHVpjO+ouamhujJkO2c0Tkm0BV:GUpOx5FnRcoegHX3erjxou4JkclBtb
MD5:	333E886A32AEAED5855417146659D269
SHA1:	EE4C1A431DEB3E046713A35E5F89AA2646AF8AE8
SHA-256:	6E95E15D432CC350227F4E6BB9E5B3FD94EF754F1663A164FDA81D074DC69D8A
SHA-512:	812A83A1CBD184EB90223E269F63A55D7FFA5825B1011EDF5E03953DCBA292B46C6EEE4781B4AB59A49F17AE58B8FB7E6FFE5B52EFA2D4EBA08837E1B9A47A16
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{d695f579-7b91-43a1-a9a7-10b7ef4465d2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730254886180,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P51215...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...55201,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.3464269049318185
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSILXnIro/pnxQwRcWT5sKmgb0QX3eHVpjO+ouamhujJkO2c0Tkm0BV:GUpOx5FnRcoegHX3erjxou4JkclBtb
MD5:	333E886A32AEAED5855417146659D269
SHA1:	EE4C1A431DEB3E046713A35E5F89AA2646AF8AE8
SHA-256:	6E95E15D432CC350227F4E6BB9E5B3FD94EF754F1663A164FDA81D074DC69D8A
SHA-512:	812A83A1CBD184EB90223E269F63A55D7FFA5825B1011EDF5E03953DCBA292B46C6EEE4781B4AB59A49F17AE58B8FB7E6FFE5B52EFA2D4EBA08837E1B9A47A16
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{d695f579-7b91-43a1-a9a7-10b7ef4465d2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730254886180,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P51215...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...55201,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.3464269049318185
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSILXnIro/pnxQwRcWT5sKmgb0QX3eHVpjO+ouamhujJkO2c0Tkm0BV:GUpOx5FnRcoegHX3erjxou4JkclBtb
MD5:	333E886A32AEAED5855417146659D269
SHA1:	EE4C1A431DEB3E046713A35E5F89AA2646AF8AE8
SHA-256:	6E95E15D432CC350227F4E6BB9E5B3FD94EF754F1663A164FDA81D074DC69D8A
SHA-512:	812A83A1CBD184EB90223E269F63A55D7FFA5825B1011EDF5E03953DCBA292B46C6EEE4781B4AB59A49F17AE58B8FB7E6FFE5B52EFA2D4EBA08837E1B9A47A16
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{d695f579-7b91-43a1-a9a7-10b7ef4465d2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730254886180,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P51215...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...55201,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028399527645535
Encrypted:	false
SSDEEP:	96:ycpMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:oTEr5NX0z3DhRe
MD5:	70487FB84F8E6177205B67C447960B19
SHA1:	27A1EA232918DB72E5575D156CF8E45C4F83D838
SHA-256:	C17E00C4AB28E974E6450454F4A92C0BEF66386F77B1B5E57FFEF5288606395F
SHA-512:	FD7063EBD0386C20B1FED9542D86CED610F57EB4CF70816D03F658D8875C2CEC91066FD041E9C28D1B790E53D68B2F23F73E349EF6630B680F5D80B572B46C90
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T02:21:00.708Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028399527645535
Encrypted:	false
SSDEEP:	96:ycpMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:oTEr5NX0z3DhRe
MD5:	70487FB84F8E6177205B67C447960B19
SHA1:	27A1EA232918DB72E5575D156CF8E45C4F83D838
SHA-256:	C17E00C4AB28E974E6450454F4A92C0BEF66386F77B1B5E57FFEF5288606395F
SHA-512:	FD7063EBD0386C20B1FED9542D86CED610F57EB4CF70816D03F658D8875C2CEC91066FD041E9C28D1B790E53D68B2F23F73E349EF6630B680F5D80B572B46C90
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T02:21:00.708Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584708639454978
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	17119cd02b34bddf9d552169f1fce6a0
SHA1:	f749847ac71e85256ba23e722f9f84637c9d54ff
SHA256:	4c46b832b2a36c757950ce90dab4e6a11fa583a5374da8e69bb77e713c190f1d
SHA512:	cfbdad6d8a37bab1d4f60b4939abd32dd321f479ce80e0908556528316ef17b4f0317e2b6064622d050740a21496b314d8b4bbbd92b0d5e9e7fb9d90e25b9b5e
SSDEEP:	12288:RqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T2:RqDEvCTbMWu7rQYlBQcBiT6rprG8ab2
TLSH:	E9159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x672180BB [Wed Oct 30 00:41:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FCAB4B9FD13h
jmp 00007FCAB4B9F61Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FCAB4B9F7FDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FCAB4B9F7CAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FCAB4BA23BDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FCAB4BA2408h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FCAB4BA23F1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	5788277519eb2885ece5ddc7928cd11c	False	0.31561511075949367	data	5.373318496927866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 02:01:02.752810955 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:02.752871037 CET	443	49710	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:02.758300066 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:02.803108931 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:02.803133965 CET	443	49710	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:03.430043936 CET	443	49710	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:03.430213928 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:03.461767912 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:03.461786985 CET	443	49710	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:03.461972952 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:03.462388992 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:03.462449074 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:03.463622093 CET	443	49710	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:03.464454889 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:03.464466095 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:03.466094971 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:03.466103077 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:03.554687023 CET	49712	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:03.554744005 CET	443	49712	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:03.554806948 CET	49712	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:03.556348085 CET	49712	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:03.556363106 CET	443	49712	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:03.694186926 CET	49713	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:03.694262981 CET	443	49713	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:03.695826054 CET	49714	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:03.696907043 CET	49713	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:03.699111938 CET	49713	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:03.699148893 CET	443	49713	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:03.701266050 CET	80	49714	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:03.706718922 CET	49714	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:03.706865072 CET	49714	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:03.712119102 CET	80	49714	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:03.952217102 CET	49715	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:03.952274084 CET	443	49715	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:03.954035044 CET	49715	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:03.954480886 CET	49715	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:03.954495907 CET	443	49715	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:03.954981089 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:03.955025911 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:03.955091953 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:03.956531048 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:03.956553936 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:03.985862017 CET	49717	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:03.985944986 CET	443	49717	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:03.991734028 CET	49717	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:03.993207932 CET	49717	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:03.993227959 CET	443	49717	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.079040051 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:04.087333918 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:04.095963955 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:04.111576080 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:04.111623049 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:04.111665010 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:04.111972094 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:04.151226044 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:04.310900927 CET	80	49714	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:04.358985901 CET	49714	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:04.418930054 CET	443	49712	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.420672894 CET	443	49712	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.420711040 CET	49712	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.420742035 CET	443	49712	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.427334070 CET	443	49712	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.439968109 CET	49712	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.443722010 CET	49712	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.443747044 CET	443	49712	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.443816900 CET	49712	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.444478989 CET	443	49712	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.444601059 CET	49712	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.557456970 CET	443	49713	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.557563066 CET	49713	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.558192968 CET	443	49713	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.558244944 CET	49713	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.584650993 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.584722042 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.609286070 CET	443	49715	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:04.609375954 CET	49715	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:04.611582994 CET	443	49717	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.614983082 CET	49717	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.738478899 CET	49715	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:04.738538027 CET	443	49715	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:04.739001989 CET	443	49715	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:04.742530107 CET	49714	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:04.744117975 CET	49713	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.744163036 CET	443	49713	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.744582891 CET	443	49713	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.747374058 CET	49713	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.748049974 CET	80	49714	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:04.748147011 CET	49717	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.748173952 CET	443	49717	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.748174906 CET	49713	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.748191118 CET	443	49713	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.748430014 CET	49717	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.748790026 CET	60171	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.748816013 CET	443	49717	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.748851061 CET	443	60171	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.748949051 CET	60172	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.748959064 CET	443	60172	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.751585960 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.751605034 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.751688957 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.752012014 CET	60173	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.752058983 CET	443	60173	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.752185106 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.753948927 CET	49715	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:04.753948927 CET	49715	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:04.754213095 CET	443	49715	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:04.754374027 CET	49717	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.754436016 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.754441977 CET	60171	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.754441977 CET	60172	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.754450083 CET	60173	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.754539967 CET	49715	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:04.870429039 CET	80	49714	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:04.928369999 CET	49714	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:04.980494976 CET	60172	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.980532885 CET	443	60172	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.981857061 CET	60173	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:04.981935024 CET	443	60173	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:04.983138084 CET	60171	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:04.983155012 CET	443	60171	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:04.983577967 CET	60174	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:04.983628988 CET	443	60174	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:04.983683109 CET	60175	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:04.985338926 CET	60174	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:04.985642910 CET	60174	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:04.985661030 CET	443	60174	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:04.989466906 CET	80	60175	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:04.989552975 CET	60175	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:04.989759922 CET	60175	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:04.995009899 CET	80	60175	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.010628939 CET	49714	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.011857986 CET	60175	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.016227007 CET	80	49714	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.020114899 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.022164106 CET	49714	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.025506020 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.028753996 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.029197931 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.033526897 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.034482002 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.038959980 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.042711020 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.043015957 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.048341036 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.058520079 CET	80	60175	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.474544048 CET	80	60175	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.474610090 CET	60175	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.488075972 CET	60179	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:05.488121033 CET	443	60179	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:05.488989115 CET	60179	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:05.490513086 CET	60179	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:05.490531921 CET	443	60179	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:05.594835043 CET	443	60173	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:05.594929934 CET	60173	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.597495079 CET	443	60172	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:05.597743034 CET	60172	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.603171110 CET	60173	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.603205919 CET	443	60173	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:05.603255033 CET	60173	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.603368998 CET	60172	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.603387117 CET	443	60172	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:05.603445053 CET	60172	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.603564024 CET	443	60172	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:05.603611946 CET	60172	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.603940964 CET	443	60173	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:05.604017973 CET	60173	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.608277082 CET	443	60174	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:05.608624935 CET	60174	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:05.612050056 CET	60174	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:05.612065077 CET	443	60174	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:05.612413883 CET	443	60174	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:05.615078926 CET	60174	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:05.615209103 CET	60174	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:05.615633965 CET	60180	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:05.615690947 CET	443	60180	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:05.615746975 CET	443	60174	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:05.624134064 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.624722004 CET	60174	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:05.624769926 CET	60174	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:05.624790907 CET	60180	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:05.625017881 CET	60180	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:05.625031948 CET	443	60180	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:05.641551018 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.671186924 CET	60181	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.671228886 CET	443	60181	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:05.671361923 CET	60181	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.672729969 CET	60181	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:05.672741890 CET	443	60181	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:05.677438974 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.693058968 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.708992004 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:05.714385033 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.836102009 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:05.840620995 CET	443	60171	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:05.841011047 CET	60171	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:05.841233015 CET	443	60171	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:05.841506004 CET	60171	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:05.845809937 CET	60171	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:05.845827103 CET	443	60171	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:05.845904112 CET	60171	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:05.846569061 CET	443	60171	142.250.185.238	192.168.2.5
Oct 30, 2024 02:01:05.846687078 CET	60171	443	192.168.2.5	142.250.185.238
Oct 30, 2024 02:01:05.878083944 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:06.097115993 CET	443	60179	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:06.097203016 CET	60179	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:06.102511883 CET	60179	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:06.102524042 CET	443	60179	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:06.102602005 CET	60179	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:06.103708982 CET	443	60179	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:06.103768110 CET	60179	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:06.292186975 CET	443	60181	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:06.295233011 CET	60181	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:06.299734116 CET	60181	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:06.299753904 CET	443	60181	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:06.299854040 CET	60181	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:06.300278902 CET	60182	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:06.300374985 CET	443	60182	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:06.300543070 CET	60182	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:06.300621033 CET	443	60181	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:06.300873041 CET	60181	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:06.302028894 CET	60182	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:06.302057981 CET	443	60182	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:06.394839048 CET	443	60180	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:06.394860029 CET	443	60180	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:06.394921064 CET	60180	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:06.398128033 CET	60180	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:06.398153067 CET	443	60180	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:06.399494886 CET	443	60180	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:06.400665998 CET	60180	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:06.400749922 CET	60180	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:06.401127100 CET	443	60180	34.160.144.191	192.168.2.5
Oct 30, 2024 02:01:06.401216984 CET	60180	443	192.168.2.5	34.160.144.191
Oct 30, 2024 02:01:06.437819004 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:06.443356991 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:06.563930035 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:06.611499071 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:06.928397894 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:06.933712006 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:06.947074890 CET	443	60182	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:06.947520018 CET	60182	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:06.952979088 CET	60182	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:06.953007936 CET	443	60182	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:06.953058004 CET	60182	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:06.953656912 CET	443	60182	34.117.188.166	192.168.2.5
Oct 30, 2024 02:01:06.969578981 CET	60182	443	192.168.2.5	34.117.188.166
Oct 30, 2024 02:01:07.053395033 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:07.101928949 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:07.332634926 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:07.337999105 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:07.473279953 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:07.518750906 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:07.622185946 CET	60184	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:07.622236013 CET	443	60184	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:07.622426033 CET	60184	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:07.622555017 CET	60184	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:07.622562885 CET	443	60184	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:07.790962934 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:07.796322107 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:07.801119089 CET	60185	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:07.801182985 CET	443	60185	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:07.803548098 CET	60185	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:07.805183887 CET	60185	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:07.805198908 CET	443	60185	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:07.826601028 CET	60186	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:07.826647043 CET	443	60186	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:07.829286098 CET	60186	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:07.830785990 CET	60186	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:07.830802917 CET	443	60186	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:07.916457891 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:07.966978073 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:08.243031025 CET	443	60184	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:08.249315023 CET	60184	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:08.251836061 CET	60184	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:08.251871109 CET	443	60184	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:08.252141953 CET	443	60184	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:08.253802061 CET	60184	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:08.253886938 CET	60184	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:08.253982067 CET	443	60184	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:08.254275084 CET	60184	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:08.254300117 CET	60184	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:08.451181889 CET	443	60186	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:08.451571941 CET	443	60185	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:08.452898026 CET	60186	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:08.452898026 CET	60185	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:08.457321882 CET	60186	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:08.457345963 CET	443	60186	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:08.457397938 CET	60186	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:08.457751036 CET	443	60186	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:08.458066940 CET	60186	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:08.461184025 CET	60185	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:08.461225986 CET	443	60185	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:08.461256981 CET	60185	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:08.462029934 CET	443	60185	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:08.462181091 CET	60185	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:10.579627037 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:10.585148096 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:10.630990982 CET	60188	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:10.631021976 CET	443	60188	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:10.631293058 CET	60189	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:10.631350994 CET	443	60189	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:10.633708000 CET	60190	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:10.633730888 CET	443	60190	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:10.634018898 CET	60188	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:10.634037971 CET	60189	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:10.634043932 CET	60190	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:10.635519981 CET	60188	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:10.635536909 CET	443	60188	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:10.635641098 CET	60189	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:10.635670900 CET	443	60189	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:10.635706902 CET	60190	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:10.635715008 CET	443	60190	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:10.705483913 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:10.708231926 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:10.713560104 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:10.753241062 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:10.833295107 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:10.891293049 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:11.244859934 CET	443	60190	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:11.251336098 CET	443	60190	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:11.251501083 CET	60190	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:11.254125118 CET	443	60188	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:11.267343998 CET	443	60188	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:11.267806053 CET	60190	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:11.267806053 CET	60188	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:11.275475979 CET	443	60189	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:11.287338972 CET	443	60189	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:11.288697004 CET	60189	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.727984905 CET	60190	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.728018045 CET	443	60190	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:12.728415012 CET	443	60190	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:12.734266043 CET	60189	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.734325886 CET	443	60189	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:12.734713078 CET	443	60189	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:12.738907099 CET	60190	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.738907099 CET	60190	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.739105940 CET	60188	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.739105940 CET	60188	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.739121914 CET	443	60188	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:12.739203930 CET	60189	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.739248991 CET	60189	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.739487886 CET	443	60190	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:12.739813089 CET	443	60189	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:12.740169048 CET	60189	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.740200043 CET	60190	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.740202904 CET	60189	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:12.743423939 CET	443	60188	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:12.743891001 CET	60188	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:16.903127909 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:16.908607006 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:17.030002117 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:17.064362049 CET	60209	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:17.064409971 CET	443	60209	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:17.065589905 CET	60209	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:17.067013025 CET	60209	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:17.067029953 CET	443	60209	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:17.075938940 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:17.153337955 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:17.158643007 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:17.162766933 CET	60210	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:17.162810087 CET	443	60210	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:17.163165092 CET	60210	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:17.164635897 CET	60210	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:17.164650917 CET	443	60210	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:17.278268099 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:17.323438883 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:17.674669027 CET	443	60209	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:17.674818039 CET	60209	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:17.771924019 CET	443	60210	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:17.778294086 CET	60210	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:18.144365072 CET	60209	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:18.144382000 CET	443	60209	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:18.144534111 CET	60209	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:18.144562960 CET	60210	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:18.144572020 CET	443	60210	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:18.144617081 CET	443	60209	34.120.208.123	192.168.2.5
Oct 30, 2024 02:01:18.144623041 CET	60210	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:18.144768953 CET	443	60210	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:18.144783020 CET	60209	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:01:18.145009041 CET	60210	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:18.632534981 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:18.637937069 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:18.758183002 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:18.812522888 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:19.115247011 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:19.120632887 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:19.239972115 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:19.298433065 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:28.664766073 CET	60276	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:28.664825916 CET	443	60276	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:28.664885998 CET	60276	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:28.666482925 CET	60276	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:28.666508913 CET	443	60276	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:28.758954048 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:28.764245987 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:29.260494947 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:29.265831947 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:29.275047064 CET	443	60276	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:29.275306940 CET	60276	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:29.280729055 CET	60276	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:29.280757904 CET	443	60276	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:29.280829906 CET	60276	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:29.281383991 CET	443	60276	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:29.282131910 CET	60276	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:29.283854961 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:29.289210081 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:29.409384012 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:29.413093090 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:29.418463945 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:29.461119890 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:29.539446115 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:29.599246025 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:31.429776907 CET	60292	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:31.429811954 CET	443	60292	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:31.434876919 CET	60292	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:31.435899973 CET	60292	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:31.435920954 CET	443	60292	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:31.441973925 CET	60293	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:31.442011118 CET	443	60293	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:31.442215919 CET	60293	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:31.442320108 CET	60293	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:31.442327976 CET	443	60293	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:31.450589895 CET	60294	443	192.168.2.5	151.101.129.91
Oct 30, 2024 02:01:31.450618029 CET	443	60294	151.101.129.91	192.168.2.5
Oct 30, 2024 02:01:31.451462030 CET	60294	443	192.168.2.5	151.101.129.91
Oct 30, 2024 02:01:31.451713085 CET	60294	443	192.168.2.5	151.101.129.91
Oct 30, 2024 02:01:31.451728106 CET	443	60294	151.101.129.91	192.168.2.5
Oct 30, 2024 02:01:31.727577925 CET	60297	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:31.727628946 CET	443	60297	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:31.730587959 CET	60297	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:31.732182980 CET	60297	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:31.732202053 CET	443	60297	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:31.737885952 CET	60298	443	192.168.2.5	35.201.103.21
Oct 30, 2024 02:01:31.737919092 CET	443	60298	35.201.103.21	192.168.2.5
Oct 30, 2024 02:01:31.741539955 CET	60298	443	192.168.2.5	35.201.103.21
Oct 30, 2024 02:01:31.742985964 CET	60298	443	192.168.2.5	35.201.103.21
Oct 30, 2024 02:01:31.743001938 CET	443	60298	35.201.103.21	192.168.2.5
Oct 30, 2024 02:01:32.045423985 CET	443	60292	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.045496941 CET	60292	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.048907995 CET	60292	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.048929930 CET	443	60292	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.049266100 CET	443	60292	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.051877975 CET	60292	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.051985025 CET	60292	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.052077055 CET	443	60292	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.052763939 CET	60292	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.056313038 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.061675072 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.065042019 CET	443	60293	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:32.065114021 CET	60293	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.068603992 CET	60293	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.068615913 CET	443	60293	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:32.068912983 CET	443	60293	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:32.071686029 CET	60293	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.071779966 CET	60293	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.071851969 CET	443	60293	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:32.073153973 CET	60293	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.091917992 CET	443	60294	151.101.129.91	192.168.2.5
Oct 30, 2024 02:01:32.092000008 CET	60294	443	192.168.2.5	151.101.129.91
Oct 30, 2024 02:01:32.095454931 CET	60294	443	192.168.2.5	151.101.129.91
Oct 30, 2024 02:01:32.095468044 CET	443	60294	151.101.129.91	192.168.2.5
Oct 30, 2024 02:01:32.095690012 CET	443	60294	151.101.129.91	192.168.2.5
Oct 30, 2024 02:01:32.098726988 CET	60294	443	192.168.2.5	151.101.129.91
Oct 30, 2024 02:01:32.098819971 CET	60294	443	192.168.2.5	151.101.129.91
Oct 30, 2024 02:01:32.098859072 CET	443	60294	151.101.129.91	192.168.2.5
Oct 30, 2024 02:01:32.098997116 CET	60294	443	192.168.2.5	151.101.129.91
Oct 30, 2024 02:01:32.107280016 CET	60302	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.107311010 CET	443	60302	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.107479095 CET	60302	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.107553959 CET	60302	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.107562065 CET	443	60302	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.109967947 CET	60303	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.110029936 CET	443	60303	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.110276937 CET	60303	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.110433102 CET	60303	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.110445976 CET	443	60303	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.112317085 CET	60304	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.112390041 CET	443	60304	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.112617016 CET	60304	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.112713099 CET	60304	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.112725973 CET	443	60304	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.181680918 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.184817076 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.190099001 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.223048925 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.309812069 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.338038921 CET	443	60297	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:32.338205099 CET	60297	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:32.342998981 CET	60297	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:32.343034983 CET	443	60297	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:32.343132019 CET	60297	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:32.343554020 CET	443	60297	35.190.72.216	192.168.2.5
Oct 30, 2024 02:01:32.345586061 CET	60297	443	192.168.2.5	35.190.72.216
Oct 30, 2024 02:01:32.347052097 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.352407932 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.354469061 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.355755091 CET	443	60298	35.201.103.21	192.168.2.5
Oct 30, 2024 02:01:32.357846022 CET	60298	443	192.168.2.5	35.201.103.21
Oct 30, 2024 02:01:32.365731955 CET	60298	443	192.168.2.5	35.201.103.21
Oct 30, 2024 02:01:32.365750074 CET	443	60298	35.201.103.21	192.168.2.5
Oct 30, 2024 02:01:32.365853071 CET	60298	443	192.168.2.5	35.201.103.21
Oct 30, 2024 02:01:32.366131067 CET	443	60298	35.201.103.21	192.168.2.5
Oct 30, 2024 02:01:32.366740942 CET	60298	443	192.168.2.5	35.201.103.21
Oct 30, 2024 02:01:32.380275965 CET	60305	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.380362988 CET	443	60305	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:32.381036043 CET	60305	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.381076097 CET	60305	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.381086111 CET	443	60305	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:32.483303070 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.489458084 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.503604889 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.539484978 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.623996019 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.671051025 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.722778082 CET	443	60302	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.722882986 CET	60302	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.725954056 CET	60302	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.725966930 CET	443	60302	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.726346016 CET	443	60302	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.728069067 CET	443	60304	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.728363991 CET	60302	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.728466988 CET	60302	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.728468895 CET	60304	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.728565931 CET	443	60302	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.730700970 CET	443	60303	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.730782986 CET	60302	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.730813026 CET	60303	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.731076956 CET	60304	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.731093884 CET	443	60304	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.733756065 CET	60303	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.733783007 CET	443	60303	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.734051943 CET	443	60303	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.734272957 CET	443	60304	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.736138105 CET	60304	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.736231089 CET	60304	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.736470938 CET	60303	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.736515045 CET	60303	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.737874985 CET	443	60304	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.738023043 CET	443	60303	35.244.181.201	192.168.2.5
Oct 30, 2024 02:01:32.738434076 CET	60303	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.738445997 CET	60304	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.738459110 CET	60303	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.738470078 CET	60304	443	192.168.2.5	35.244.181.201
Oct 30, 2024 02:01:32.739860058 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.745198965 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.865711927 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.869715929 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.875549078 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.909502029 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:32.989290953 CET	443	60305	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:32.989376068 CET	60305	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.992819071 CET	60305	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.992839098 CET	443	60305	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:32.993129969 CET	443	60305	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:32.994992018 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:32.995887995 CET	60305	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.995960951 CET	60305	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.996145964 CET	443	60305	34.149.100.209	192.168.2.5
Oct 30, 2024 02:01:32.996329069 CET	60305	443	192.168.2.5	34.149.100.209
Oct 30, 2024 02:01:32.998635054 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:33.003912926 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:33.041027069 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:33.127489090 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:33.130382061 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:33.135749102 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:33.172622919 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:33.257019997 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:33.310738087 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:43.141438007 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:43.146754980 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:43.257389069 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:43.262799978 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:45.987226963 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:45.996211052 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:46.113066912 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:46.116111994 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:46.121499062 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:46.166465044 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:46.240875959 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:46.282269001 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:49.800968885 CET	60408	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:49.801021099 CET	443	60408	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:49.801398039 CET	60408	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:49.802789927 CET	60408	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:49.802814007 CET	443	60408	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:50.410777092 CET	443	60408	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:50.411323071 CET	60408	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:50.416083097 CET	60408	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:50.416100979 CET	443	60408	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:50.416191101 CET	60408	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:50.416244030 CET	443	60408	34.107.243.93	192.168.2.5
Oct 30, 2024 02:01:50.416800022 CET	60408	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:01:50.418689966 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:50.424000025 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:50.544101954 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:50.547051907 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:50.552325010 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:50.595402002 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:01:50.672533035 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:01:50.733510017 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:00.562824011 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:00.568408966 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:00.678692102 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:00.683901072 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:01.444785118 CET	60475	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:01.444819927 CET	443	60475	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:01.445106030 CET	60475	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:01.445204973 CET	60475	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:01.445214987 CET	443	60475	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:01.465210915 CET	60476	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:01.465276957 CET	443	60476	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:01.466761112 CET	60476	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:01.466933012 CET	60476	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:01.466945887 CET	443	60476	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:02.062978029 CET	443	60475	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:02.063127995 CET	60475	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:02.066409111 CET	60475	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:02.066418886 CET	443	60475	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:02.066617966 CET	443	60475	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:02.070463896 CET	60475	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:02.070574045 CET	60475	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:02.070591927 CET	443	60475	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:02.071105003 CET	60475	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:02.086741924 CET	443	60476	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:02.095329046 CET	443	60476	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:02.097793102 CET	60476	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:02.106161118 CET	60476	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:02.106185913 CET	443	60476	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:02.106498003 CET	443	60476	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:02.108901978 CET	60476	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:02.108990908 CET	60476	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:02.109105110 CET	443	60476	34.120.208.123	192.168.2.5
Oct 30, 2024 02:02:02.109455109 CET	60476	443	192.168.2.5	34.120.208.123
Oct 30, 2024 02:02:02.114643097 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:02.122339964 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:02.241647005 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:02.248641968 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:02.254949093 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:02.299722910 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:02.373617887 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:02.415133953 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:12.258728027 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:12.264038086 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:12.374583960 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:12.379911900 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:22.276705027 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:22.282002926 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:22.392680883 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:22.398397923 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:30.949141979 CET	60481	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:02:30.949181080 CET	443	60481	34.107.243.93	192.168.2.5
Oct 30, 2024 02:02:30.949668884 CET	60481	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:02:30.951266050 CET	60481	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:02:30.951276064 CET	443	60481	34.107.243.93	192.168.2.5
Oct 30, 2024 02:02:31.571635008 CET	443	60481	34.107.243.93	192.168.2.5
Oct 30, 2024 02:02:31.571774960 CET	60481	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:02:31.576062918 CET	60481	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:02:31.576070070 CET	443	60481	34.107.243.93	192.168.2.5
Oct 30, 2024 02:02:31.576208115 CET	60481	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:02:31.576332092 CET	443	60481	34.107.243.93	192.168.2.5
Oct 30, 2024 02:02:31.576452017 CET	60481	443	192.168.2.5	34.107.243.93
Oct 30, 2024 02:02:31.579375029 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:31.585402012 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:31.705935955 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:31.710431099 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:31.716523886 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:31.748303890 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:31.835946083 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:31.886471987 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:41.711736917 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:41.717127085 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:41.843410969 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:41.848671913 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:51.719496965 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:51.726893902 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:02:51.850555897 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:02:51.856059074 CET	80	60176	34.107.221.82	192.168.2.5
Oct 30, 2024 02:03:01.737560034 CET	60177	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:03:01.743029118 CET	80	60177	34.107.221.82	192.168.2.5
Oct 30, 2024 02:03:01.875758886 CET	60176	80	192.168.2.5	34.107.221.82
Oct 30, 2024 02:03:01.881119013 CET	80	60176	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 02:01:02.752552032 CET	50453	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:02.760360956 CET	53	50453	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:02.766793966 CET	62178	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:02.775049925 CET	53	62178	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.546542883 CET	53105	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.553766966 CET	53	53105	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.555043936 CET	63950	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.562139034 CET	53	63950	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.562901974 CET	60077	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.570709944 CET	53	60077	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.635731936 CET	60619	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.644236088 CET	51577	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.651510954 CET	53	51577	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.653490067 CET	59723	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.661662102 CET	53	59723	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.945122004 CET	51522	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.952678919 CET	56464	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.952734947 CET	53	51522	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.962982893 CET	53	56464	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.965166092 CET	52053	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.965323925 CET	62948	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.965786934 CET	51001	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.972731113 CET	53	52053	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.972810030 CET	53	62948	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.973311901 CET	53	51001	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:03.991647005 CET	50446	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:03.999651909 CET	53	50446	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:04.014579058 CET	60916	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:04.016309977 CET	62550	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:04.022247076 CET	53	60916	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:04.024385929 CET	53	62550	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:04.469796896 CET	62697	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:04.470477104 CET	61849	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:04.476993084 CET	53	62697	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:04.478696108 CET	53	61849	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:04.747277021 CET	57206	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:04.755645990 CET	49861	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:04.766329050 CET	53	49861	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:04.984270096 CET	58028	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:04.992335081 CET	53	58028	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:04.993165970 CET	62822	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:05.000678062 CET	53	62822	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:05.057171106 CET	53197	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:05.089698076 CET	50208	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:05.097980976 CET	53	50208	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:05.109642982 CET	56266	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:05.113192081 CET	53	63877	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:05.117351055 CET	53	56266	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:05.118010998 CET	63998	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:05.125094891 CET	53	63998	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:07.801809072 CET	59222	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:07.808248043 CET	52177	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:07.808990955 CET	53	59222	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:07.809850931 CET	60624	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:07.815573931 CET	53	52177	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:07.817572117 CET	53	60624	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:07.827478886 CET	53123	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:07.834630966 CET	53	53123	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:07.836298943 CET	58421	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:07.843707085 CET	53	58421	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:10.588732958 CET	58341	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:10.595895052 CET	53	58341	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:10.614618063 CET	50916	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:10.622286081 CET	53	50916	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:10.624572992 CET	58688	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:10.631951094 CET	53	58688	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.734925032 CET	50728	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.734970093 CET	62070	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.735424042 CET	49296	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.742558002 CET	53	50728	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.742775917 CET	53	62070	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.742785931 CET	53	49296	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.831222057 CET	54407	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.831429005 CET	63536	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.832062006 CET	61669	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.838543892 CET	53	54407	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.839035988 CET	53	63536	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.839262009 CET	63108	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.839479923 CET	53	61669	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.839483976 CET	57743	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.839867115 CET	63852	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.846389055 CET	53	63108	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.846716881 CET	53	57743	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.847563028 CET	49595	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.853425026 CET	58162	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.854414940 CET	53	63852	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.855040073 CET	53	49595	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.856851101 CET	53385	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.861706972 CET	53	58162	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.865173101 CET	53	53385	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.866348982 CET	65157	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.874437094 CET	53	65157	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.948826075 CET	50937	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.957557917 CET	53	50937	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:12.958187103 CET	53286	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:12.966692924 CET	53	53286	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:17.019793034 CET	60794	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:17.027623892 CET	53	60794	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:17.152791023 CET	64343	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:17.160638094 CET	53	64343	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:17.163110971 CET	52275	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:17.170567989 CET	53	52275	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:28.665155888 CET	64232	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:28.672229052 CET	53	64232	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:29.284070015 CET	54070	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:31.430557013 CET	58795	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:31.437422991 CET	54900	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:31.438062906 CET	53	58795	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:31.440392971 CET	63707	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:31.446064949 CET	53	54900	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:31.448179960 CET	53	63707	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:31.450894117 CET	49263	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:31.458349943 CET	53	49263	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:31.459007025 CET	58473	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:31.476742983 CET	53	58473	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:31.727840900 CET	50993	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:31.735260963 CET	53	50993	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:31.738507986 CET	49562	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:31.746454954 CET	53	49562	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:31.753288031 CET	52118	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:31.760664940 CET	53	52118	1.1.1.1	192.168.2.5
Oct 30, 2024 02:01:49.801358938 CET	55118	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:01:49.808480978 CET	53	55118	1.1.1.1	192.168.2.5
Oct 30, 2024 02:02:01.481591940 CET	57669	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:02:01.488929033 CET	53	57669	1.1.1.1	192.168.2.5
Oct 30, 2024 02:02:30.786762953 CET	58490	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:02:30.946721077 CET	53	58490	1.1.1.1	192.168.2.5
Oct 30, 2024 02:02:30.949606895 CET	50738	53	192.168.2.5	1.1.1.1
Oct 30, 2024 02:02:30.958723068 CET	53	50738	1.1.1.1	192.168.2.5
Oct 30, 2024 02:02:31.579550028 CET	50230	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 02:01:02.752552032 CET	192.168.2.5	1.1.1.1	0x33c5	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:02.766793966 CET	192.168.2.5	1.1.1.1	0xd1ed	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 02:01:03.546542883 CET	192.168.2.5	1.1.1.1	0xf89c	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.555043936 CET	192.168.2.5	1.1.1.1	0x73e3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.562901974 CET	192.168.2.5	1.1.1.1	0x8aca	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:03.635731936 CET	192.168.2.5	1.1.1.1	0x979c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.644236088 CET	192.168.2.5	1.1.1.1	0xaf96	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.653490067 CET	192.168.2.5	1.1.1.1	0x72a4	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 02:01:03.945122004 CET	192.168.2.5	1.1.1.1	0xb847	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.952678919 CET	192.168.2.5	1.1.1.1	0x5539	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.965166092 CET	192.168.2.5	1.1.1.1	0x737e	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.965323925 CET	192.168.2.5	1.1.1.1	0xc16d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 02:01:03.965786934 CET	192.168.2.5	1.1.1.1	0x7cd8	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.991647005 CET	192.168.2.5	1.1.1.1	0x5bc6	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.014579058 CET	192.168.2.5	1.1.1.1	0xadb8	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:04.016309977 CET	192.168.2.5	1.1.1.1	0x4359	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 02:01:04.469796896 CET	192.168.2.5	1.1.1.1	0xe9fe	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.470477104 CET	192.168.2.5	1.1.1.1	0x691	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.747277021 CET	192.168.2.5	1.1.1.1	0x4887	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.755645990 CET	192.168.2.5	1.1.1.1	0x5486	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.984270096 CET	192.168.2.5	1.1.1.1	0x72d6	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.993165970 CET	192.168.2.5	1.1.1.1	0xfba4	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 02:01:05.057171106 CET	192.168.2.5	1.1.1.1	0x24e2	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:05.089698076 CET	192.168.2.5	1.1.1.1	0x5714	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:05.109642982 CET	192.168.2.5	1.1.1.1	0xd9ce	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:05.118010998 CET	192.168.2.5	1.1.1.1	0xd34	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:07.801809072 CET	192.168.2.5	1.1.1.1	0x5c67	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:07.808248043 CET	192.168.2.5	1.1.1.1	0xc7a5	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:07.809850931 CET	192.168.2.5	1.1.1.1	0x4869	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:07.827478886 CET	192.168.2.5	1.1.1.1	0x26fb	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:07.836298943 CET	192.168.2.5	1.1.1.1	0xbafa	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 02:01:10.588732958 CET	192.168.2.5	1.1.1.1	0x7766	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:10.614618063 CET	192.168.2.5	1.1.1.1	0x81c8	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:10.624572992 CET	192.168.2.5	1.1.1.1	0x64a2	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 02:01:12.734925032 CET	192.168.2.5	1.1.1.1	0x5f11	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.734970093 CET	192.168.2.5	1.1.1.1	0x3969	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.735424042 CET	192.168.2.5	1.1.1.1	0xec89	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.831222057 CET	192.168.2.5	1.1.1.1	0x7296	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.831429005 CET	192.168.2.5	1.1.1.1	0xa431	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.832062006 CET	192.168.2.5	1.1.1.1	0x7031	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.839262009 CET	192.168.2.5	1.1.1.1	0xc928	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:12.839483976 CET	192.168.2.5	1.1.1.1	0x7c62	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:12.839867115 CET	192.168.2.5	1.1.1.1	0x1a89	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 30, 2024 02:01:12.847563028 CET	192.168.2.5	1.1.1.1	0x33b2	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.853425026 CET	192.168.2.5	1.1.1.1	0xb3c9	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.856851101 CET	192.168.2.5	1.1.1.1	0x2701	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.866348982 CET	192.168.2.5	1.1.1.1	0x7f21	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 30, 2024 02:01:12.948826075 CET	192.168.2.5	1.1.1.1	0xfb9f	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.958187103 CET	192.168.2.5	1.1.1.1	0x45b7	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:17.019793034 CET	192.168.2.5	1.1.1.1	0xac2a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:17.152791023 CET	192.168.2.5	1.1.1.1	0x2f66	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:17.163110971 CET	192.168.2.5	1.1.1.1	0x9af9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:28.665155888 CET	192.168.2.5	1.1.1.1	0x8663	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:29.284070015 CET	192.168.2.5	1.1.1.1	0x85e2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.430557013 CET	192.168.2.5	1.1.1.1	0x504d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.437422991 CET	192.168.2.5	1.1.1.1	0xc91a	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.440392971 CET	192.168.2.5	1.1.1.1	0x6ee5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 02:01:31.450894117 CET	192.168.2.5	1.1.1.1	0x6db6	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.459007025 CET	192.168.2.5	1.1.1.1	0x31da	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 30, 2024 02:01:31.727840900 CET	192.168.2.5	1.1.1.1	0x7613	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.738507986 CET	192.168.2.5	1.1.1.1	0x82c9	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.753288031 CET	192.168.2.5	1.1.1.1	0x2d7d	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 02:01:49.801358938 CET	192.168.2.5	1.1.1.1	0x9ea7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 02:02:01.481591940 CET	192.168.2.5	1.1.1.1	0xc35b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 02:02:30.786762953 CET	192.168.2.5	1.1.1.1	0xcf57	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:02:30.949606895 CET	192.168.2.5	1.1.1.1	0xe75c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 02:02:31.579550028 CET	192.168.2.5	1.1.1.1	0x9a64	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 02:01:02.749454975 CET	1.1.1.1	192.168.2.5	0xaba	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:02.760360956 CET	1.1.1.1	192.168.2.5	0x33c5	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.553766966 CET	1.1.1.1	192.168.2.5	0xf89c	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.562139034 CET	1.1.1.1	192.168.2.5	0x73e3	No error (0)	youtube.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.570709944 CET	1.1.1.1	192.168.2.5	0x8aca	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 30, 2024 02:01:03.642998934 CET	1.1.1.1	192.168.2.5	0x979c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:03.642998934 CET	1.1.1.1	192.168.2.5	0x979c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.651510954 CET	1.1.1.1	192.168.2.5	0xaf96	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.661662102 CET	1.1.1.1	192.168.2.5	0x72a4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 02:01:03.950500965 CET	1.1.1.1	192.168.2.5	0x37c7	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:03.950500965 CET	1.1.1.1	192.168.2.5	0x37c7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.952734947 CET	1.1.1.1	192.168.2.5	0xb847	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.962982893 CET	1.1.1.1	192.168.2.5	0x5539	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.972731113 CET	1.1.1.1	192.168.2.5	0x737e	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:03.972731113 CET	1.1.1.1	192.168.2.5	0x737e	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.973311901 CET	1.1.1.1	192.168.2.5	0x7cd8	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:03.999651909 CET	1.1.1.1	192.168.2.5	0x5bc6	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.478696108 CET	1.1.1.1	192.168.2.5	0x691	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.478696108 CET	1.1.1.1	192.168.2.5	0x691	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.754352093 CET	1.1.1.1	192.168.2.5	0x4887	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:04.754352093 CET	1.1.1.1	192.168.2.5	0x4887	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.766329050 CET	1.1.1.1	192.168.2.5	0x5486	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:04.766329050 CET	1.1.1.1	192.168.2.5	0x5486	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:04.766329050 CET	1.1.1.1	192.168.2.5	0x5486	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:04.992335081 CET	1.1.1.1	192.168.2.5	0x72d6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:05.000678062 CET	1.1.1.1	192.168.2.5	0xfba4	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 02:01:05.066580057 CET	1.1.1.1	192.168.2.5	0x24e2	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:05.097980976 CET	1.1.1.1	192.168.2.5	0x5714	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:05.117351055 CET	1.1.1.1	192.168.2.5	0xd9ce	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:07.620522976 CET	1.1.1.1	192.168.2.5	0x420c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:07.620522976 CET	1.1.1.1	192.168.2.5	0x420c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:07.798860073 CET	1.1.1.1	192.168.2.5	0x9d17	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:07.808990955 CET	1.1.1.1	192.168.2.5	0x5c67	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:07.815573931 CET	1.1.1.1	192.168.2.5	0xc7a5	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:07.815573931 CET	1.1.1.1	192.168.2.5	0xc7a5	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:07.834630966 CET	1.1.1.1	192.168.2.5	0x26fb	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:10.595895052 CET	1.1.1.1	192.168.2.5	0x7766	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:10.595895052 CET	1.1.1.1	192.168.2.5	0x7766	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:10.595895052 CET	1.1.1.1	192.168.2.5	0x7766	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:10.622286081 CET	1.1.1.1	192.168.2.5	0x81c8	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:10.627928972 CET	1.1.1.1	192.168.2.5	0x66e1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742558002 CET	1.1.1.1	192.168.2.5	0x5f11	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742775917 CET	1.1.1.1	192.168.2.5	0x3969	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742775917 CET	1.1.1.1	192.168.2.5	0x3969	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742785931 CET	1.1.1.1	192.168.2.5	0xec89	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:12.742785931 CET	1.1.1.1	192.168.2.5	0xec89	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.838543892 CET	1.1.1.1	192.168.2.5	0x7296	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.839479923 CET	1.1.1.1	192.168.2.5	0x7031	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.846389055 CET	1.1.1.1	192.168.2.5	0xc928	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 02:01:12.846389055 CET	1.1.1.1	192.168.2.5	0xc928	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 02:01:12.846389055 CET	1.1.1.1	192.168.2.5	0xc928	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 02:01:12.846389055 CET	1.1.1.1	192.168.2.5	0xc928	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 02:01:12.846716881 CET	1.1.1.1	192.168.2.5	0x7c62	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 30, 2024 02:01:12.854414940 CET	1.1.1.1	192.168.2.5	0x1a89	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 30, 2024 02:01:12.855040073 CET	1.1.1.1	192.168.2.5	0x33b2	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:12.855040073 CET	1.1.1.1	192.168.2.5	0x33b2	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.855040073 CET	1.1.1.1	192.168.2.5	0x33b2	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.855040073 CET	1.1.1.1	192.168.2.5	0x33b2	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.855040073 CET	1.1.1.1	192.168.2.5	0x33b2	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.861706972 CET	1.1.1.1	192.168.2.5	0xb3c9	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.865173101 CET	1.1.1.1	192.168.2.5	0x2701	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.865173101 CET	1.1.1.1	192.168.2.5	0x2701	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.865173101 CET	1.1.1.1	192.168.2.5	0x2701	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.865173101 CET	1.1.1.1	192.168.2.5	0x2701	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:12.957557917 CET	1.1.1.1	192.168.2.5	0xfb9f	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:17.160638094 CET	1.1.1.1	192.168.2.5	0x2f66	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:29.291789055 CET	1.1.1.1	192.168.2.5	0x85e2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:29.291789055 CET	1.1.1.1	192.168.2.5	0x85e2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.436503887 CET	1.1.1.1	192.168.2.5	0x3645	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:31.436503887 CET	1.1.1.1	192.168.2.5	0x3645	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.438062906 CET	1.1.1.1	192.168.2.5	0x504d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.446064949 CET	1.1.1.1	192.168.2.5	0xc91a	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.446064949 CET	1.1.1.1	192.168.2.5	0xc91a	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.446064949 CET	1.1.1.1	192.168.2.5	0xc91a	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.446064949 CET	1.1.1.1	192.168.2.5	0xc91a	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.458349943 CET	1.1.1.1	192.168.2.5	0x6db6	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.458349943 CET	1.1.1.1	192.168.2.5	0x6db6	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.458349943 CET	1.1.1.1	192.168.2.5	0x6db6	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.458349943 CET	1.1.1.1	192.168.2.5	0x6db6	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.476742983 CET	1.1.1.1	192.168.2.5	0x31da	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 02:01:31.476742983 CET	1.1.1.1	192.168.2.5	0x31da	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 02:01:31.476742983 CET	1.1.1.1	192.168.2.5	0x31da	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 02:01:31.476742983 CET	1.1.1.1	192.168.2.5	0x31da	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 02:01:31.735260963 CET	1.1.1.1	192.168.2.5	0x7613	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:31.735260963 CET	1.1.1.1	192.168.2.5	0x7613	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:31.746454954 CET	1.1.1.1	192.168.2.5	0x82c9	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:01:32.750247955 CET	1.1.1.1	192.168.2.5	0x509b	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:01:32.750247955 CET	1.1.1.1	192.168.2.5	0x509b	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:02:01.451762915 CET	1.1.1.1	192.168.2.5	0xa47a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:02:30.946721077 CET	1.1.1.1	192.168.2.5	0xcf57	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 02:02:31.589075089 CET	1.1.1.1	192.168.2.5	0x9a64	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 02:02:31.589075089 CET	1.1.1.1	192.168.2.5	0x9a64	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	34.107.221.82	80	2200	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 02:01:03.706865072 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:04.310900927 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40607 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:04.742530107 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:04.870429039 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40607 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	60175	34.107.221.82	80	2200	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 02:01:04.989759922 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	60176	34.107.221.82	80	2200	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 02:01:05.029197931 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:05.624134064 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31534 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:05.708992004 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:05.836102009 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31534 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:06.928397894 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:07.053395033 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31535 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:07.790962934 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:07.916457891 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31536 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:10.708231926 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:10.833295107 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31539 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:17.153337955 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:17.278268099 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31546 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:19.115247011 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:19.239972115 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31548 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:29.260494947 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:01:29.413093090 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:29.539446115 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31558 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:32.184817076 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:32.309812069 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31561 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:32.489458084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:32.623996019 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31561 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:32.869715929 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:32.994992018 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31561 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:33.130382061 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:33.257019997 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31562 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:43.257389069 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:01:46.116111994 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:46.240875959 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31575 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:01:50.547051907 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:01:50.672533035 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31579 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:02:00.678692102 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:02:02.248641968 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:02:02.373617887 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31591 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:02:12.374583960 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:02:22.392680883 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:02:31.710431099 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 02:02:31.835946083 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 31620 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 02:02:41.843410969 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:02:51.850555897 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:03:01.875758886 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	60177	34.107.221.82	80	2200	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 02:01:05.043015957 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:05.641551018 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40608 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:06.437819004 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:06.563930035 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40609 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:07.332634926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:07.473279953 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40610 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:10.579627037 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:10.705483913 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40613 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:16.903127909 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:17.030002117 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40619 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:18.632534981 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:18.758183002 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40621 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:28.758954048 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:01:29.283854961 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:29.409384012 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40632 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:32.056313038 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:32.181680918 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40635 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:32.347052097 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:32.483303070 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40635 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:32.739860058 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:32.865711927 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40635 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:32.998635054 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:33.127489090 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40636 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:43.141438007 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:01:45.987226963 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:46.113066912 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40649 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:01:50.418689966 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:01:50.544101954 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40653 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:02:00.562824011 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:02:02.114643097 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:02:02.241647005 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40665 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:02:12.258728027 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:02:22.276705027 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:02:31.579375029 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 02:02:31.705935955 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 40694 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 02:02:41.711736917 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:02:51.719496965 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 02:03:01.737560034 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	21:00:55
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x950000
File size:	919'552 bytes
MD5 hash:	17119CD02B34BDDF9D552169F1FCE6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2106080741.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:00:55
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x850000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:00:55
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:00:57
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x850000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:00:57
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:00:58
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x850000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:00:58
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:00:58
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x850000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:00:58
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:00:58
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x850000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:00:58
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:00:58
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:00:58
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:00:58
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	21:00:59
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e207330-ecfa-49ad-8e7c-41356c0cd337} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3c8b71110 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	21:01:01
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3632 -parentBuildID 20230927232528 -prefsHandle 3500 -prefMapHandle 3512 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9511543d-a1a3-4026-862f-b022304d1792} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3c8b8ff10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	21:01:06
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2772 -prefMapHandle 5088 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ec730ef-4625-445b-87e7-6970859cdae0} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1f3e0ef8910 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	1535
Total number of Limit Nodes:	52

Executed Functions

Function 009542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0095430D

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

GetCurrentProcess.KERNEL32(?,009ECB64,00000000,?,?), ref: 00954422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00954429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00954454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00954466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00954474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0095447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009544A0

Strings

|O, xrefs: 009936F8
GetNativeSystemInfo, xrefs: 00954460
kernel32.dll, xrefs: 0095444F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 6896e344eeb3273f510924be525e1720a80c33930ee770a350959ac9e567df7c
Instruction ID: 3219491e4de0a28b236f723b36ddca7ae09ae898ed1ed5c34bf71610aaf99678
Opcode Fuzzy Hash: 6896e344eeb3273f510924be525e1720a80c33930ee770a350959ac9e567df7c
Instruction Fuzzy Hash: 04A1A56191E2C0CFCBB1CBEE78851B57FE76B76305B0458B9D4819FA21D2248A4BDB21

Function 009542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009550AA,?,?,00000000,00000000), ref: 009542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009550AA,?,?,00000000,00000000), ref: 009542C9
LoadResource.KERNEL32(?,00000000,?,?,009550AA,?,?,00000000,00000000,?,?,?,?,?,?,00954F20), ref: 009935BE
SizeofResource.KERNEL32(?,00000000,?,?,009550AA,?,?,00000000,00000000,?,?,?,?,?,?,00954F20), ref: 009935D3
LockResource.KERNEL32(009550AA,?,?,009550AA,?,?,00000000,00000000,?,?,?,?,?,?,00954F20,?), ref: 009935E6

Strings

SCRIPT, xrefs: 009542BF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 410ae080ce43f5b90a34326f142cc04f58a114db19838c479993d8b7712c9b06
Instruction ID: 859bdd2cc9274e65680d39e4b80b3988812e1cb377d7a3031eb47cd3a674c562
Opcode Fuzzy Hash: 410ae080ce43f5b90a34326f142cc04f58a114db19838c479993d8b7712c9b06
Instruction Fuzzy Hash: 1311ACB0200301BFDB218B6ADC88F277BBDEBC5B56F148169B9628A250DB71DC069620

Function 00992BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00952B6B

Part of subcall function 00953A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A21418,?,00952E7F,?,?,?,00000000), ref: 00953A78

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00A12224), ref: 00992C10
ShellExecuteW.SHELL32(00000000,?,?,00A12224), ref: 00992C17

Strings

runas, xrefs: 00992C0B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 4745aca4ab503522b5ef4d09899d55c3a9da6e35c7c3a8296c830c897dcc405b
Instruction ID: 657724056249d440f0762b02fcb100c3a4ea5e6669d457003c5320fbfc15f2d6
Opcode Fuzzy Hash: 4745aca4ab503522b5ef4d09899d55c3a9da6e35c7c3a8296c830c897dcc405b
Instruction Fuzzy Hash: 3911E771608345AAC714FF75E851BBD77A8AFE2342F44483CF986420A2DF30894EC712

Function 009BD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009BD501
Process32FirstW.KERNEL32(00000000,?), ref: 009BD50F
Process32NextW.KERNEL32(00000000,?), ref: 009BD52F
CloseHandle.KERNELBASE(00000000), ref: 009BD5DC

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: dee7bcd8a0472a84375ead7271cccb0a3ea32b138378ce8ff1c46aac4b5e6bdf
Instruction ID: d751b9f52cad29f37c0a9b832f90fe50627771df250dda521168a645a0e95849
Opcode Fuzzy Hash: dee7bcd8a0472a84375ead7271cccb0a3ea32b138378ce8ff1c46aac4b5e6bdf
Instruction Fuzzy Hash: CB318D711083409FD311EF54C881BAFBBE8EFD9354F14092DF985871A2EB71A949CBA2

Function 009BDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00995222), ref: 009BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 009BDBDD
FindFirstFileW.KERNEL32(?,?), ref: 009BDBEE
FindClose.KERNEL32(00000000), ref: 009BDBFA

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: cc5cefd24ae9586b6510a3a0e5f4bf7226f24d8e9c46beab56063db2c257826d
Instruction ID: 0ae733701aeb337cd6bd92596a19319d3fe2a19bb7b18aa72dccebe082dab7d3
Opcode Fuzzy Hash: cc5cefd24ae9586b6510a3a0e5f4bf7226f24d8e9c46beab56063db2c257826d
Instruction Fuzzy Hash: 98F02B708299109782206B7CEE4E8EA3B6C9E01334B104702F9F6C21F0FBF09D56D6D5

Function 00974CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009828E9,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002,00000000,?,009828E9), ref: 00974D09
TerminateProcess.KERNEL32(00000000,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002,00000000,?,009828E9), ref: 00974D10
ExitProcess.KERNEL32 ref: 00974D22

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 51909308866290b53ccc89c3521cc2fabd9356aebf86595a803315794008cb80
Instruction ID: 81714a3c4f62192d30106ca68d4f7a63b5406eb1e49cac10d1faa274141650d3
Opcode Fuzzy Hash: 51909308866290b53ccc89c3521cc2fabd9356aebf86595a803315794008cb80
Instruction Fuzzy Hash: 79E0B672014188AFCF21AF54DD5AA583B69EB81781B118014FC999E263DB35ED52DB80

Function 009DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 009DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DB1D4
_wcslen.LIBCMT ref: 009DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DB236
_wcslen.LIBCMT ref: 009DB332

Part of subcall function 009C05A7: GetStdHandle.KERNEL32(000000F6), ref: 009C05C6

_wcslen.LIBCMT ref: 009DB34B
_wcslen.LIBCMT ref: 009DB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009DB3B6
GetLastError.KERNEL32(00000000), ref: 009DB407
CloseHandle.KERNEL32(?), ref: 009DB439
CloseHandle.KERNEL32(00000000), ref: 009DB44A
CloseHandle.KERNEL32(00000000), ref: 009DB45C
CloseHandle.KERNEL32(00000000), ref: 009DB46E
CloseHandle.KERNEL32(?), ref: 009DB4E3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 16d0128c529db8706b224d9e2e26046890596ba7d801fe6c8585df6c9522f26b
Instruction ID: 52564c712c728030ca8fb63baef13a39161cc5c05c76bfeef3cb9608ce604bda
Opcode Fuzzy Hash: 16d0128c529db8706b224d9e2e26046890596ba7d801fe6c8585df6c9522f26b
Instruction Fuzzy Hash: 92F18832608340DFC714EF25D891B2ABBE5AF85714F15895EF8998B3A2DB31EC05CB52

Function 0095D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0095D807
timeGetTime.WINMM ref: 0095DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0095DB28
TranslateMessage.USER32(?), ref: 0095DB7B
DispatchMessageW.USER32(?), ref: 0095DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0095DB9F
Sleep.KERNELBASE(0000000A), ref: 0095DBB1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 3bf6bbb188ff41c3049111753ad4725563a09c9facf0cbe94b46e79fd2998676
Instruction ID: 436b7e5be2dbad4b11e8a7e5daf4cfde6d5b1811fa99252f703e014e9a0ddebc
Opcode Fuzzy Hash: 3bf6bbb188ff41c3049111753ad4725563a09c9facf0cbe94b46e79fd2998676
Instruction Fuzzy Hash: 00421470609341DFD734CF29C894BAAB7E5BF86305F14892DF89587291D774E849CB82

Function 00952CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00952D07
RegisterClassExW.USER32(00000030), ref: 00952D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00952D42
InitCommonControlsEx.COMCTL32(?), ref: 00952D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00952D6F
LoadIconW.USER32(000000A9), ref: 00952D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00952D94

Strings

TaskbarCreated, xrefs: 00952D37
AutoIt v3 GUI, xrefs: 00952D23
+, xrefs: 00952CF0
0, xrefs: 00952CE9

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 58edf0f24ca58202e7a4e8096b78a8e139ecb0c07098605b467e39095ef50606
Instruction ID: 14eee6303cf03b2357b0dcb83f586d0f0797196e8f7c24648aecd16b3fa35fe2
Opcode Fuzzy Hash: 58edf0f24ca58202e7a4e8096b78a8e139ecb0c07098605b467e39095ef50606
Instruction Fuzzy Hash: 7221F7B5911348AFDB10DFE8EC89BEDBBB4FB08705F00412AF551AA2A0D7B10942DF91

Function 0099065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0099039A: CreateFileW.KERNELBASE(00000000,00000000,?,00990704,?,?,00000000,?,00990704,00000000,0000000C), ref: 009903B7

GetLastError.KERNEL32 ref: 0099076F
__dosmaperr.LIBCMT ref: 00990776
GetFileType.KERNELBASE(00000000), ref: 00990782
GetLastError.KERNEL32 ref: 0099078C
__dosmaperr.LIBCMT ref: 00990795
CloseHandle.KERNEL32(00000000), ref: 009907B5
CloseHandle.KERNEL32(?), ref: 009908FF
GetLastError.KERNEL32 ref: 00990931
__dosmaperr.LIBCMT ref: 00990938

Strings

H, xrefs: 009908BD

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1cab8e87ad30dfe5be61995c56fdb74ce8f905b3f22dbf59f345a9d2f5f0628b
Instruction ID: 524fbb7ff75753df1bf88541cff01c2d8c4d7216a52190167c577af2d1033f41
Opcode Fuzzy Hash: 1cab8e87ad30dfe5be61995c56fdb74ce8f905b3f22dbf59f345a9d2f5f0628b
Instruction Fuzzy Hash: 69A12732A141048FDF19EFACDC52BAE7BA4AB86320F144159F825AF392D7359C13CB91

Function 0095344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00953A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A21418,?,00952E7F,?,?,?,00000000), ref: 00953A78

Part of subcall function 00953357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00953379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0095356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0099318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009931CE
RegCloseKey.ADVAPI32(?), ref: 00993210
_wcslen.LIBCMT ref: 00993277
_wcslen.LIBCMT ref: 00993286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00953560
Include, xrefs: 00993184, 009931C5
\Include\, xrefs: 00953527
\, xrefs: 0099328C

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 50b5a2dfee4055e1b53537b53190e89f9a90c0f1360f510d951b860815458750
Instruction ID: 20f9c5f70344c48f934d26b20048e22b38d721f061f1ec4c39d6e3169539a9af
Opcode Fuzzy Hash: 50b5a2dfee4055e1b53537b53190e89f9a90c0f1360f510d951b860815458750
Instruction Fuzzy Hash: 07718271404301AEC724DF6AEC91A6BBBE8FFD5740F40483DF9859B161EB349A4ACB51

Function 00952B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00952B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00952B9D
LoadIconW.USER32(00000063), ref: 00952BB3
LoadIconW.USER32(000000A4), ref: 00952BC5
LoadIconW.USER32(000000A2), ref: 00952BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00952BEF
RegisterClassExW.USER32(?), ref: 00952C40

Part of subcall function 00952CD4: GetSysColorBrush.USER32(0000000F), ref: 00952D07
Part of subcall function 00952CD4: RegisterClassExW.USER32(00000030), ref: 00952D31
Part of subcall function 00952CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00952D42
Part of subcall function 00952CD4: InitCommonControlsEx.COMCTL32(?), ref: 00952D5F
Part of subcall function 00952CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00952D6F
Part of subcall function 00952CD4: LoadIconW.USER32(000000A9), ref: 00952D85
Part of subcall function 00952CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00952D94

Strings

#, xrefs: 00952C16
0, xrefs: 00952C0F
AutoIt v3, xrefs: 00952C2F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 54d04b98be168cfa5d5765bdaf6ed79cc9932db1c075e81e6edcbbd377e52484
Instruction ID: eaceec00a6ea9e68bc18e6b44ca6b71149a4a0d8774948356a38ed8ed4fec225
Opcode Fuzzy Hash: 54d04b98be168cfa5d5765bdaf6ed79cc9932db1c075e81e6edcbbd377e52484
Instruction Fuzzy Hash: 6C2130B0D10354ABDB60DFD9EC89AA97FB5FB58B54F00003AE500AA660D7B10943DF90

Function 00953170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0095316A,?,?), ref: 009531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0095316A,?,?), ref: 00953204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00953227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0095316A,?,?), ref: 00953232
CreatePopupMenu.USER32 ref: 00953246
PostQuitMessage.USER32(00000000), ref: 00953267

Strings

TaskbarCreated, xrefs: 0095322D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 402a66416430e850523ea07f1ac6f054fa45a1c8a5594090d7528923fdf34687
Instruction ID: 982e39983810b49249a55613a9f1fd3d2b31396519bb96ab322ff0a463cd5044
Opcode Fuzzy Hash: 402a66416430e850523ea07f1ac6f054fa45a1c8a5594090d7528923fdf34687
Instruction Fuzzy Hash: 3F419630218600BBDF24EBBD9D4DB793B1DE745382F048535FD128A1A1CB758E4A97A1

Function 00951410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00951459
CoUninitialize.COMBASE ref: 009514F8
UnregisterHotKey.USER32(?), ref: 009516DD
DestroyWindow.USER32(?), ref: 009924B9
FreeLibrary.KERNEL32(?), ref: 0099251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0099254B

Strings

close all, xrefs: 00951454

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 17ee739ee2de3d48d155f2b2fd8ea3d8151c5fe338de72fa3e9f7ef941191047
Instruction ID: fe22c3f1c70323644f88c4c80d149fa57e24821b51802cde676b2387ad0eafd1
Opcode Fuzzy Hash: 17ee739ee2de3d48d155f2b2fd8ea3d8151c5fe338de72fa3e9f7ef941191047
Instruction Fuzzy Hash: 98D1BE31702212DFCB29EF1AC899B29F7A4BF45701F1541ADE84A6B262DB31EC16CF51

Function 00952C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00952C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00952CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00951CAD,?), ref: 00952CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00951CAD,?), ref: 00952CCF

Strings

edit, xrefs: 00952CAC
AutoIt v3, xrefs: 00952C89, 00952C8E, 00952C8F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ddc016e0254ce53bf71ed45bc2c444d52a81bdc5cea93bfbc2312498575602d4
Instruction ID: 790ecccae7432c5bd2e3419e789707573da04bc4e6b50f0ec8a3e968e121518d
Opcode Fuzzy Hash: ddc016e0254ce53bf71ed45bc2c444d52a81bdc5cea93bfbc2312498575602d4
Instruction Fuzzy Hash: 36F03AB95413D47AEB71875BAC4CE772EBED7DAF50B01003AF900AA1A0C2710C43DAB0

Function 00953B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00953B0F,SwapMouseButtons,00000004,?), ref: 00953B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00953B0F,SwapMouseButtons,00000004,?), ref: 00953B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00953B0F,SwapMouseButtons,00000004,?), ref: 00953B83

Strings

Control Panel\Mouse, xrefs: 00953B3E

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0ba3b3956eb2b5a85af3b133c1ee6ebb621e3e07c4d04e7c60f40e877bd6972d
Instruction ID: eeb031a5e5fded04b292cd482ea8dc9a4482ab655de4f82a097ae128404c4cd0
Opcode Fuzzy Hash: 0ba3b3956eb2b5a85af3b133c1ee6ebb621e3e07c4d04e7c60f40e877bd6972d
Instruction Fuzzy Hash: CA112AB5520218FFDB20CFA6DC84ABEB7BCEF05786B108959F805D7110D2319F45AB60

Function 00953923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009933A2

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00953A04

Strings

Line: , xrefs: 009933EB

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 426ed12ca5e45b924766bd72b335a65c52deddf18976a44e8f0f5597476271df
Instruction ID: 5946d901704da8f3a3183b287a5c1e8d0c7ccfa6027db74579fefdb66d32b979
Opcode Fuzzy Hash: 426ed12ca5e45b924766bd72b335a65c52deddf18976a44e8f0f5597476271df
Instruction Fuzzy Hash: CB3136B1408304ABC721EB25DC45BEFB3DCAF90751F00892AF99987191EB709A4EC7C2

Function 0096FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00970668

Part of subcall function 009732A4: RaiseException.KERNEL32(?,?,?,0097068A,?,00A21444,?,?,?,?,?,?,0097068A,00951129,00A18738,00951129), ref: 00973304

__CxxThrowException@8.LIBVCRUNTIME ref: 00970685

Strings

Unknown exception, xrefs: 00970692

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 3d9fd19a7e3b3df02f6e2edad7daec53e91a254b4217361d556e172f5932a7a4
Instruction ID: 5e0d1facd7b77326407c02a6c4e210fd5c08d873854802cf7f0f7c2ca3cd4eeb
Opcode Fuzzy Hash: 3d9fd19a7e3b3df02f6e2edad7daec53e91a254b4217361d556e172f5932a7a4
Instruction Fuzzy Hash: 80F0C23690020DB7CB00B665E866E9E7B6C6EC0350B60C671B82C965D2EF71EA65C980

Function 009510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00951BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00951BF4
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00951BFC
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00951C07
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00951C12
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00951C1A
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00951C22

Part of subcall function 00951B4A: RegisterWindowMessageW.USER32(00000004,?,009512C4), ref: 00951BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0095136A
OleInitialize.OLE32 ref: 00951388
CloseHandle.KERNEL32(00000000,00000000), ref: 009924AB

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2494297c513fef61a35a0cda17d28cd49d7d6011e7538b2f4ba65bec573b4815
Instruction ID: cdea7623b3aa0a2868894d2a82b76fb1e617c4297c4826ecd75ea8d336f3e1f4
Opcode Fuzzy Hash: 2494297c513fef61a35a0cda17d28cd49d7d6011e7538b2f4ba65bec573b4815
Instruction Fuzzy Hash: A971CCB49113448FC7A4EFBEAD956753AE1FBA834475482BAD84AC7362EB344407CF44

Function 009BC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00953923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00953A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009BC259
KillTimer.USER32(?,00000001,?,?), ref: 009BC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009BC270

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 0b77c408cfc658c4f8da34cafe0425a9b853108dc773fd7c045a684d03054c35
Instruction ID: 5b9163a522da32d8be82bdef1128c4420f6fc348170f645cc2a206a1110c2749
Opcode Fuzzy Hash: 0b77c408cfc658c4f8da34cafe0425a9b853108dc773fd7c045a684d03054c35
Instruction Fuzzy Hash: 2D31D5B0904384AFEB32CF648995BE7BBEC9F06314F00049ED5EAA7241C374AA85CB51

Function 009886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,009885CC,?,00A18CC8,0000000C), ref: 00988704
GetLastError.KERNEL32(?,009885CC,?,00A18CC8,0000000C), ref: 0098870E
__dosmaperr.LIBCMT ref: 00988739

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 648bec51828edc211ce1738bb2cfebd8fc3a7840fed77488cd00be9fc4fc63e9
Instruction ID: 1b5efde7887a0872002090293264898dbd198542728d1f624d3692fb68b533c9
Opcode Fuzzy Hash: 648bec51828edc211ce1738bb2cfebd8fc3a7840fed77488cd00be9fc4fc63e9
Instruction Fuzzy Hash: 69012B3760566056D634B2386849B7F675D4BC1774F79011AF8149B3D3EEA5DC828360

Function 0095DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0095DB7B
DispatchMessageW.USER32(?), ref: 0095DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0095DB9F
Sleep.KERNELBASE(0000000A), ref: 0095DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 009A1CC9

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: a283937b0f819edbbc8b694e32830c170d70f963e04ed8b0b9527a96ef807c48
Instruction ID: f11091a966064caeb53e7f63c968fafc3148075354da2cdf29a83433db9dcc29
Opcode Fuzzy Hash: a283937b0f819edbbc8b694e32830c170d70f963e04ed8b0b9527a96ef807c48
Instruction Fuzzy Hash: 46F05E706193809BE730CBA18C89FAA73BDEB85311F104928EA8AC70C0DB30A4899B15

Function 00961310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009617F6

Strings

CALL, xrefs: 009617C6

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e08b629816d2b811455fceecc93db82497ba59cc18f90d91093df2a906e31dee
Instruction ID: 509134047eb5104b2fe1c42df8cc64387e5f7a0beb279f8459127457208c4c50
Opcode Fuzzy Hash: e08b629816d2b811455fceecc93db82497ba59cc18f90d91093df2a906e31dee
Instruction Fuzzy Hash: 88227B706083419FC714DF14C490B2ABBF5BF8A314F18896DF4968B3A2DB75E945CB92

Function 00952DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00992C8C

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

Part of subcall function 00952DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00952DC4

Strings

X, xrefs: 00992C5A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 37e4e896e054b3417f088ff7fc61461f4b405996ccf87334d8e14ea06d3728f3
Instruction ID: c6489b65292763b624ee3c148cdc7944533b71276c5fcdf8136d308fb1900ee6
Opcode Fuzzy Hash: 37e4e896e054b3417f088ff7fc61461f4b405996ccf87334d8e14ea06d3728f3
Instruction Fuzzy Hash: 4921C671A102589FDF41DF95C8457EE7BFCAF89315F008059E805EB241EBB4598DCB61

Function 00953837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00953908

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c2c46671b59e4d83e4008ea3788870f0905563c667c567920fcd72cc6f01c52c
Instruction ID: 29841ccc00bb7920ce3e91d9ef1c54551f59bac100fed558020638f26e24d3f9
Opcode Fuzzy Hash: c2c46671b59e4d83e4008ea3788870f0905563c667c567920fcd72cc6f01c52c
Instruction Fuzzy Hash: 0731D2B0504300CFD761DF69D885BA7BBE8FF49749F00092EFA9987250E771AA49CB52

Function 0096F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0096F661

Part of subcall function 0095D730: GetInputState.USER32 ref: 0095D807

Sleep.KERNEL32(00000000), ref: 009AF2DE

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 58ebcab8fd59bfac8b312ebda7d37e1f4e0daac40e6e125dedadda71e741d78c
Instruction ID: 8b576405fbb37d492978fcc0fb5ed0be88d74ef9ed42aaa3008902f4e6430ad0
Opcode Fuzzy Hash: 58ebcab8fd59bfac8b312ebda7d37e1f4e0daac40e6e125dedadda71e741d78c
Instruction Fuzzy Hash: D6F082712442059FD314EF75E455B5AB7E4EF8A761F000029FC59C7260DB70AC05CB90

Function 00954ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00954E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E9C
Part of subcall function 00954E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00954EAE
Part of subcall function 00954E90: FreeLibrary.KERNEL32(00000000,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954EFD

Part of subcall function 00954E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E62
Part of subcall function 00954E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00954E74
Part of subcall function 00954E59: FreeLibrary.KERNEL32(00000000,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E87

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7cbb82165614d4f88471567d234be4678ba16c097c87ca04f072fe101d4821f5
Instruction ID: cec00cdb0c6059665632829701678ef4a75a4db500e18d0fe5dd3ec86fe0a3a5
Opcode Fuzzy Hash: 7cbb82165614d4f88471567d234be4678ba16c097c87ca04f072fe101d4821f5
Instruction Fuzzy Hash: 2D11C831610205ABCF14EF69DC12FAD77A59F80716F10841DFD42A61C1EE749E499B50

Function 00988402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00988440

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b3a745b4aa7d007f240602832778dde61aeb300624e2bee5c63df0a9c6016350
Instruction ID: bdbcb5a168702e2f6f1caedaa655859b774169b27f7fb4ac39b73cc3dab322ea
Opcode Fuzzy Hash: b3a745b4aa7d007f240602832778dde61aeb300624e2bee5c63df0a9c6016350
Instruction Fuzzy Hash: 7911187690410AAFCF15DF58E941A9B7BF9EF48314F104069FC08AB312DB31DA11CBA5

Function 0097E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 2b40e42487ae2c3c335652b265098b95f227f1fda699197bad0acf73746f4390
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: B3F02833511A14E6C7313A698C05B5B339C9FD6330F108B55F829972D2DB74E80187A5

Function 00983820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d468137287497101d22d3a566c30db075eea29310d25d982af647099c2d79be7
Instruction ID: 918ad67fc3ad68ce68539ac850b86856fbd65af41cdf6a8e09c5b816a13a26ed
Opcode Fuzzy Hash: d468137287497101d22d3a566c30db075eea29310d25d982af647099c2d79be7
Instruction Fuzzy Hash: E0E0653220522457D63137669C06B9A365DAF82FB0F15C125BC59A6A91DB21DD0283E1

Function 00954F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954F6D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 43651d77929d6f0c1890b48c4b769fdfdb86ba4419d55c83e7882a399527fd89
Instruction ID: 40ad9382c4223a2c556190cf052a8c3338d63c9c0cc614d2e20ca7a1fa07cd39
Opcode Fuzzy Hash: 43651d77929d6f0c1890b48c4b769fdfdb86ba4419d55c83e7882a399527fd89
Instruction Fuzzy Hash: 37F03071105751CFDB74DF6AD490852B7F4AF1431E3208D7EE9DA86511C7319888DF50

Function 009E2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009E2A66

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: f91c66f7122fd509a1691b15ae92cf8a4b8b115bc78da06ccff8a85483f986d1
Instruction ID: 55d127619cfe7069178969426ce83268a1730ebdc94b4d7ae143c7973db0588c
Opcode Fuzzy Hash: f91c66f7122fd509a1691b15ae92cf8a4b8b115bc78da06ccff8a85483f986d1
Instruction Fuzzy Hash: B9E02672754256AAC710EB31EC80AFE734CEF903A4700483AFC16C2180DB34DD9192E0

Function 009530F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0095314E

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ab8fdf04bd3f49a74370e7db545a6064729d7852413afa32bb888d1e76aedd53
Instruction ID: 78c2c58739ae7a30c9dd0b12427802e702fdcba48803ee8dadb0d65c6f98dc7f
Opcode Fuzzy Hash: ab8fdf04bd3f49a74370e7db545a6064729d7852413afa32bb888d1e76aedd53
Instruction Fuzzy Hash: 34F037709143589FEBA2DB64DC457E57BBCA701708F0000F5A5889A191D7745B8ACF55

Function 00952DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00952DC4

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8b6e40bac8337941b5dfcc50253648cbeb2dcb26fba2bbe4b5ae7940bd836c83
Instruction ID: b3a83e98dec6beceed391bf00142c2a094a741145140c57459d1daa0673c350b
Opcode Fuzzy Hash: 8b6e40bac8337941b5dfcc50253648cbeb2dcb26fba2bbe4b5ae7940bd836c83
Instruction Fuzzy Hash: 01E0CD726041245BCB10D2589C06FEA77DDDFC8790F040071FD09D7248DA70ED848650

Function 00952B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00953837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00953908

Part of subcall function 0095D730: GetInputState.USER32 ref: 0095D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00952B6B

Part of subcall function 009530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0095314E

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: d7a305d60a199e69f1406928f733ba499d149a12f5e38ce4196ff5958b6365c8
Instruction ID: 67f46154b1b685535f8b2dd3cf348ed24e76e7f41f69a08de27028b09f86c7b3
Opcode Fuzzy Hash: d7a305d60a199e69f1406928f733ba499d149a12f5e38ce4196ff5958b6365c8
Instruction Fuzzy Hash: 6AE07D6230434403C608FB77AC527BDB7599BE2393F40543EF946831A3CF20494E8311

Function 0099039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00990704,?,?,00000000,?,00990704,00000000,0000000C), ref: 009903B7

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fb2236fb9665269b6859f7ab37be005b80865ca1902ee68ec32d4906f593f1e4
Instruction ID: ba1ef08790bd0060096af43c8d920847fd2925fe94b7b7e5554820ef46032c9f
Opcode Fuzzy Hash: fb2236fb9665269b6859f7ab37be005b80865ca1902ee68ec32d4906f593f1e4
Instruction Fuzzy Hash: E4D06C3205414DBBDF028F84DD46EDA3FAAFB48714F014000BE5856020C732E822AB91

Function 00951CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00951CBC

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 8791ef18c0397a8d8084ba7bf1cbd5f55fb7cf0da869af108643816b9eb4f9eb
Instruction ID: b62e207ba35bb17e96210265281595ad50202f7cd172cd28c2560516a3169b5a
Opcode Fuzzy Hash: 8791ef18c0397a8d8084ba7bf1cbd5f55fb7cf0da869af108643816b9eb4f9eb
Instruction Fuzzy Hash: 39C04C35284344AAE224C7C4AD4AF207755A358B04F048011F649595E387A11812A650

Non-executed Functions

Function 009E9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 009E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009E96C9
SendMessageW.USER32 ref: 009E96F2
GetKeyState.USER32(00000011), ref: 009E978B
GetKeyState.USER32(00000009), ref: 009E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009E97AE
GetKeyState.USER32(00000010), ref: 009E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009E97E9
SendMessageW.USER32 ref: 009E9810
SendMessageW.USER32(?,00001030,?,009E7E95), ref: 009E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009E9941
SetCapture.USER32(?), ref: 009E994A
ClientToScreen.USER32(?,?), ref: 009E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009E99D6
ReleaseCapture.USER32 ref: 009E99E1
GetCursorPos.USER32(?), ref: 009E9A19
ScreenToClient.USER32(?,?), ref: 009E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 009E9A80
SendMessageW.USER32 ref: 009E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 009E9AEB
SendMessageW.USER32 ref: 009E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 009E9B4A
GetCursorPos.USER32(?), ref: 009E9B68
ScreenToClient.USER32(?,?), ref: 009E9B75
GetParent.USER32(?), ref: 009E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 009E9BFA
SendMessageW.USER32 ref: 009E9C2B
ClientToScreen.USER32(?,?), ref: 009E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 009E9CDE
SendMessageW.USER32 ref: 009E9D01
ClientToScreen.USER32(?,?), ref: 009E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009E9D82

Part of subcall function 00969944: GetWindowLongW.USER32(?,000000EB), ref: 00969952

GetWindowLongW.USER32(?,000000F0), ref: 009E9E05

Strings

@GUI_DRAGID, xrefs: 009E997D
F, xrefs: 009E9D07

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 6e45c378897108d8d14638bef7e2f08c98827207cfffa51234ef2b6d73c4595f
Instruction ID: 72b4a4d6525a9b64722fe22931647ae119c1b4cb4af72c37543107c7d09d142b
Opcode Fuzzy Hash: 6e45c378897108d8d14638bef7e2f08c98827207cfffa51234ef2b6d73c4595f
Instruction Fuzzy Hash: 7A429070108281AFD722CF6ACC84BAABBF9FF49714F14061AF999872A1D731DC55DB41

Function 009E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 009E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 009E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 009E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 009E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 009E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 009E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009E4A7E
IsMenu.USER32(?), ref: 009E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E4B20
GetWindowLongW.USER32(?,000000F0), ref: 009E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 009E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 009E4C82
wsprintfW.USER32 ref: 009E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 009E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 009E4D5A

Strings

%d/%02d/%02d, xrefs: 009E4CA8

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 4966de0ec7fe13ca92353d66f04a20641cfd0fe17eb9991b7896ab0bd47bc6cb
Instruction ID: 57f4984f47c6302e78b4b507b1ccf0131fa420dfe9db59eb7ec42ed5c1bc523b
Opcode Fuzzy Hash: 4966de0ec7fe13ca92353d66f04a20641cfd0fe17eb9991b7896ab0bd47bc6cb
Instruction Fuzzy Hash: 6E12F071900284ABEB268F26CC49FAE7BF8EF85B10F104529F915EB2E1DB749D41CB50

Function 0096F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0096F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009AF474
IsIconic.USER32(00000000), ref: 009AF47D
ShowWindow.USER32(00000000,00000009), ref: 009AF48A
SetForegroundWindow.USER32(00000000), ref: 009AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009AF4AA
GetCurrentThreadId.KERNEL32 ref: 009AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 009AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 009AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 009AF4DE
SetForegroundWindow.USER32(00000000), ref: 009AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF4F6
keybd_event.USER32(00000012,00000000), ref: 009AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF50B
keybd_event.USER32(00000012,00000000), ref: 009AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF519
keybd_event.USER32(00000012,00000000), ref: 009AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF528
keybd_event.USER32(00000012,00000000), ref: 009AF52D
SetForegroundWindow.USER32(00000000), ref: 009AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 009AF557

Strings

Shell_TrayWnd, xrefs: 009AF46F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 95e19789217cc71a65f4be379ba72dc68c411a4d35dc70a55754888f8eccaab3
Instruction ID: 0cc05e871f74d3dd1b15ef92ec2fcda21953c31757d74ba6b6a3612a0809833e
Opcode Fuzzy Hash: 95e19789217cc71a65f4be379ba72dc68c411a4d35dc70a55754888f8eccaab3
Instruction Fuzzy Hash: D131A6B1A54358BFEB206BF55C8AFBF7E6DEB45B50F100425FA00EA1D1C6B15D01BAA0

Function 009B1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B170D
Part of subcall function 009B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B173A
Part of subcall function 009B16C3: GetLastError.KERNEL32 ref: 009B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 009B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009B12A8
CloseHandle.KERNEL32(?), ref: 009B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009B12D1
GetProcessWindowStation.USER32 ref: 009B12EA
SetProcessWindowStation.USER32(00000000), ref: 009B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009B1310

Part of subcall function 009B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B11FC), ref: 009B10D4
Part of subcall function 009B10BF: CloseHandle.KERNEL32(?,?,009B11FC), ref: 009B10E9

Strings

, xrefs: 009B125A
winsta0, xrefs: 009B12CC
default, xrefs: 009B130B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 831e926d634f4d165dc112a835cee2594e6a8befdb193038e7f6ce230b1240d7
Instruction ID: 2e474adf83358a17ada1c8813b841d1bb91020f26dcd78e944306aacd96e5503
Opcode Fuzzy Hash: 831e926d634f4d165dc112a835cee2594e6a8befdb193038e7f6ce230b1240d7
Instruction Fuzzy Hash: 5481ACB1900249AFDF219FA4DE99FEE7BBEEF44710F144129F910A61A0CB318D45CB24

Function 009B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B1114
Part of subcall function 009B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1120
Part of subcall function 009B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B112F
Part of subcall function 009B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1136
Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009B0C00
GetLengthSid.ADVAPI32(?), ref: 009B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 009B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009B0C6D
GetLengthSid.ADVAPI32(?), ref: 009B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009B0C8C
HeapAlloc.KERNEL32(00000000), ref: 009B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009B0CB4
CopySid.ADVAPI32(00000000), ref: 009B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0D45
HeapFree.KERNEL32(00000000), ref: 009B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0D55
HeapFree.KERNEL32(00000000), ref: 009B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0D65
HeapFree.KERNEL32(00000000), ref: 009B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 009B0D78
HeapFree.KERNEL32(00000000), ref: 009B0D7F

Part of subcall function 009B1193: GetProcessHeap.KERNEL32(00000008,009B0BB1,?,00000000,?,009B0BB1,?), ref: 009B11A1
Part of subcall function 009B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009B0BB1,?), ref: 009B11A8
Part of subcall function 009B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009B0BB1,?), ref: 009B11B7

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9e0111c89a7e134751b44924d322315abc0111f6a3596f5897eee86e5b26c242
Instruction ID: f02c9135fe8d42c278483c22118c26a37152b8a3e1634ab30beed5afeba5fbf6
Opcode Fuzzy Hash: 9e0111c89a7e134751b44924d322315abc0111f6a3596f5897eee86e5b26c242
Instruction Fuzzy Hash: 73716CB290420AABDF10DFA4DD85BEFBBBCBF84320F044515E955AB191D771AE06CB60

Function 009CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009ECC08), ref: 009CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 009CEB37
GetClipboardData.USER32(0000000D), ref: 009CEB43
CloseClipboard.USER32 ref: 009CEB4F
GlobalLock.KERNEL32(00000000), ref: 009CEB87
CloseClipboard.USER32 ref: 009CEB91
GlobalUnlock.KERNEL32(00000000), ref: 009CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 009CEBC9
GetClipboardData.USER32(00000001), ref: 009CEBD1
GlobalLock.KERNEL32(00000000), ref: 009CEBE2
GlobalUnlock.KERNEL32(00000000), ref: 009CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 009CEC38
GetClipboardData.USER32(0000000F), ref: 009CEC44
GlobalLock.KERNEL32(00000000), ref: 009CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 009CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009CECD2
GlobalUnlock.KERNEL32(00000000), ref: 009CECF3
CountClipboardFormats.USER32 ref: 009CED14
CloseClipboard.USER32 ref: 009CED59

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 23d481178783c60e488a74d305204402290cad8eed681be6cd0b5345a3b636eb
Instruction ID: a70bcf351060bbd48ea1c9deff6cfe8c31d2d55bb8451efd3b53d391e10d2560
Opcode Fuzzy Hash: 23d481178783c60e488a74d305204402290cad8eed681be6cd0b5345a3b636eb
Instruction Fuzzy Hash: A161BC746083429FD300EF25D885F3A7BA8AF84714F14451DF9978B2A2DB31DD0ADB62

Function 009C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009C69BE
FindClose.KERNEL32(00000000), ref: 009C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009C6A75

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 009C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 009C6ADF

Strings

%03d, xrefs: 009C6DA2
%02d, xrefs: 009C6C00, 009C6C0A, 009C6C5A, 009C6CAA, 009C6CFA, 009C6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 009C6B32
%4d%02d%02d%02d%02d%02d, xrefs: 009C6B6A
%4d, xrefs: 009C6BB1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 0fc1e971ea131097c736ed1a1c194aba861519b3520385f140287cb4a2a133cf
Instruction ID: c7b65033459ee4ecc8dfd225496478784be39d65a805c478d166b71bee41abb8
Opcode Fuzzy Hash: 0fc1e971ea131097c736ed1a1c194aba861519b3520385f140287cb4a2a133cf
Instruction Fuzzy Hash: B8D161B1908300AFC710EBA5D891FABB7ECAF88705F44491DF989C7191EB34DA48C762

Function 009C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009C9663
GetFileAttributesW.KERNEL32(?), ref: 009C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 009C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 009C96D3
FindClose.KERNEL32(00000000), ref: 009C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 009C974A
SetCurrentDirectoryW.KERNEL32(00A16B7C), ref: 009C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 009C9772
FindClose.KERNEL32(00000000), ref: 009C977F
FindClose.KERNEL32(00000000), ref: 009C978F

Strings

*.*, xrefs: 009C96F5

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 147733c47061887bdf20600e17f322ed63412626f1a70cc0187968c875cafb1b
Instruction ID: 5f174c7dbad670490d4b972d117ed391b743d6ea27a62911b949bd6aa14eb9da
Opcode Fuzzy Hash: 147733c47061887bdf20600e17f322ed63412626f1a70cc0187968c875cafb1b
Instruction Fuzzy Hash: 5531E072945249AADF10AFB4DC4DFDE37ACAF49320F104459F964E21A0DB74DE818A25

Function 009C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 009C9819
FindClose.KERNEL32(00000000), ref: 009C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 009C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 009C9890
SetCurrentDirectoryW.KERNEL32(00A16B7C), ref: 009C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009C98B8
FindClose.KERNEL32(00000000), ref: 009C98C5
FindClose.KERNEL32(00000000), ref: 009C98D5

Part of subcall function 009BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009BDB00

Strings

*.*, xrefs: 009C983B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9aff9fffad979d6f4f4d61a79695cb4f4d9230fbbbda2a7ab1141a47b09c54be
Instruction ID: 147facd56bb74cfeaef5f8fb375bfb2e649c081b6a863f398750573a8bd1275e
Opcode Fuzzy Hash: 9aff9fffad979d6f4f4d61a79695cb4f4d9230fbbbda2a7ab1141a47b09c54be
Instruction Fuzzy Hash: B7310132944259BEDB10AFB4EC4CFDE37ACAF46320F108459E8A4E31D0DB71DE858A21

Function 009DBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 009DBFA9
RegCloseKey.ADVAPI32(00000000), ref: 009DBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009DC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009DC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009DC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009DC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 009DC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009DC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009DC382
RegCloseKey.ADVAPI32(00000000), ref: 009DC38F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: db5dbf551e14715a0b37c30d8733482d57e3be94932069505e08b7c961ffb652
Instruction ID: d64cf4323a9f3dce6af5a76a57289d8ae81a78c3c2415358d08b584ef3f2c80d
Opcode Fuzzy Hash: db5dbf551e14715a0b37c30d8733482d57e3be94932069505e08b7c961ffb652
Instruction Fuzzy Hash: 1A024DB16042019FD714DF28C895E2ABBE5AF89314F18C49DF849DB3A2D731ED46CB51

Function 009C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 009C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8395

Strings

*.*, xrefs: 009C839B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: a046f13abf6bf88277dda7f82f765acfd683cc4229699d818c3a88fac26bb050
Instruction ID: 1d7a28c5c6c8f1f2b383f1e0d7c37b6fbdb1ce95ce48e8c563c6085b91b451a4
Opcode Fuzzy Hash: a046f13abf6bf88277dda7f82f765acfd683cc4229699d818c3a88fac26bb050
Instruction Fuzzy Hash: F56139B25083459FCB10DF64C844AAFB3E8FF89311F04891EF99997251EB35E949CB92

Function 009BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

Part of subcall function 009BE199: GetFileAttributesW.KERNEL32(?,009BCF95), ref: 009BE19A

FindFirstFileW.KERNEL32(?,?), ref: 009BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 009BD1DD
MoveFileW.KERNEL32(?,?), ref: 009BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 009BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 009BD237

Part of subcall function 009BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,009BD21C,?,?), ref: 009BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 009BD253
FindClose.KERNEL32(00000000), ref: 009BD264

Strings

\*.*, xrefs: 009BD0CD, 009BD0D6, 009BD0EB

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: ccdee2343fd0b105f09566caf86001103ddfa6d57281a1d1b6d365ee31bb77ba
Instruction ID: d6f39ced702236a86c20df656747043e5444ab6cf18fdccc9ec92d1383032171
Opcode Fuzzy Hash: ccdee2343fd0b105f09566caf86001103ddfa6d57281a1d1b6d365ee31bb77ba
Instruction Fuzzy Hash: 9D619E7180614DAFCF05EBE1DA92AEDB7B9AF94311F204165E81177192EB30AF09DB60

Function 009CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009CED91
EmptyClipboard.USER32 ref: 009CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 009CEDAC
CloseClipboard.USER32 ref: 009CEEA3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 323dba27faf97af8917cc160a626c455f7d34283fc5a77d532940fec541a1b2c
Instruction ID: 3b75ab2ffe66f1a330cd5cab34138450734bbb8263909b6970158e0770b04549
Opcode Fuzzy Hash: 323dba27faf97af8917cc160a626c455f7d34283fc5a77d532940fec541a1b2c
Instruction Fuzzy Hash: 8441CC75A08251AFE320DF15D888F1ABBA5EF44358F04C09DE8668F6A2C735ED42CB91

Function 009BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B170D
Part of subcall function 009B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B173A
Part of subcall function 009B16C3: GetLastError.KERNEL32 ref: 009B174A

ExitWindowsEx.USER32(?,00000000), ref: 009BE932

Strings

SeShutdownPrivilege, xrefs: 009BE902
@, xrefs: 009BE925
, xrefs: 009BE95C
, xrefs: 009BE920

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 00eabdfcef31fcb1de554848ff617360f4e26a690dc7e46d870333e829c4c6ae
Instruction ID: 5d51dbde85fa92ace37b00efadeb656c1f52f0be9f1b5d2d5a6ac5da7e85cc2c
Opcode Fuzzy Hash: 00eabdfcef31fcb1de554848ff617360f4e26a690dc7e46d870333e829c4c6ae
Instruction Fuzzy Hash: 55012673624310AFEB1826B49E86BFB729CA7047A0F140822F813E21D1D5A45C489190

Function 009D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009D1276
WSAGetLastError.WSOCK32 ref: 009D1283
bind.WSOCK32(00000000,?,00000010), ref: 009D12BA
WSAGetLastError.WSOCK32 ref: 009D12C5
closesocket.WSOCK32(00000000), ref: 009D12F4
listen.WSOCK32(00000000,00000005), ref: 009D1303
WSAGetLastError.WSOCK32 ref: 009D130D
closesocket.WSOCK32(00000000), ref: 009D133C

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 5b4dcd70a48c4edefed38cdc7030cf5f2c620ba1d5d7f54c37febe38528c203c
Instruction ID: 4255446aba42538867afd5dba26837085b2092c82c8d5ba1724151a163084530
Opcode Fuzzy Hash: 5b4dcd70a48c4edefed38cdc7030cf5f2c620ba1d5d7f54c37febe38528c203c
Instruction Fuzzy Hash: E241B171600240AFD714DF64C5C8B29BBE5AF86318F18C089E9668F392C771ED86CBE1

Function 0098B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0098B9D4
_free.LIBCMT ref: 0098B9F8
_free.LIBCMT ref: 0098BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009F3700), ref: 0098BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A2121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0098BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A21270,000000FF,?,0000003F,00000000,?), ref: 0098BC36
_free.LIBCMT ref: 0098BD4B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0d157db58c9fce16d805d84c37d5cb9ecc6c5c1c318382e79d571b920e543ecf
Instruction ID: 774daa93403373498c607c41eb293fd3e73291d2f62366cf312afa457cc30f37
Opcode Fuzzy Hash: 0d157db58c9fce16d805d84c37d5cb9ecc6c5c1c318382e79d571b920e543ecf
Instruction Fuzzy Hash: 6FC1F472904205AFDB24FF69D851BAA7BECEF91310F1C41AAE494D7392E7309E42C750

Function 009BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

Part of subcall function 009BE199: GetFileAttributesW.KERNEL32(?,009BCF95), ref: 009BE19A

FindFirstFileW.KERNEL32(?,?), ref: 009BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 009BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 009BD481
FindClose.KERNEL32(00000000), ref: 009BD498
FindClose.KERNEL32(00000000), ref: 009BD4A1

Strings

\*.*, xrefs: 009BD3F2

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 3df858e5543ea6942c86e7ee2e966fd7758982922d29eb5b5153b3f88076e46f
Instruction ID: 8844b239f08c73649c8ca344f8d21123d5fbc399e04f64a5774b88cc8b496f06
Opcode Fuzzy Hash: 3df858e5543ea6942c86e7ee2e966fd7758982922d29eb5b5153b3f88076e46f
Instruction Fuzzy Hash: 60315C7101D3859FC200EF65D9929EFB7E8AE91351F444E2DF8D1931A1EB30AA0D9762

Function 0098E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0098E645

Strings

1#IND, xrefs: 0098F83D
1#QNAN, xrefs: 0098F84B
1#SNAN, xrefs: 0098F844
1#INF, xrefs: 0098F852

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: bea32cd20fb5865937895e9030f96fc09b65d1c8f68c387bfd426bef77678aa6
Instruction ID: cc7a2a8a13cfa456ee9f9695ded0cc1d61732fe537376a3e69a2532a81c980cb
Opcode Fuzzy Hash: bea32cd20fb5865937895e9030f96fc09b65d1c8f68c387bfd426bef77678aa6
Instruction Fuzzy Hash: 5BC23B72E086298FDB25DE28DD547EAB7B9EB84304F1445EAD44DE7340E778AE818F40

Function 009C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009C64DC
CoInitialize.OLE32(00000000), ref: 009C6639
CoCreateInstance.OLE32(009EFCF8,00000000,00000001,009EFB68,?), ref: 009C6650
CoUninitialize.OLE32 ref: 009C68D4

Strings

.lnk, xrefs: 009C64BA, 009C6524, 009C65E0

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d48fd334a940737414fe033d6e44a050c5f855ed22d20f8bf67b99eb6e6783ee
Instruction ID: 912fc6fbb8c19138c7c333a490fe625e7bdffe7d3f398326ebcf08b6a1d4e132
Opcode Fuzzy Hash: d48fd334a940737414fe033d6e44a050c5f855ed22d20f8bf67b99eb6e6783ee
Instruction Fuzzy Hash: 95D14871508241AFD304EF25C881E6BB7E9FFD4705F50496DF9958B291EB30EA09CB92

Function 009D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009D22E8

Part of subcall function 009CE4EC: GetWindowRect.USER32(?,?), ref: 009CE504

GetDesktopWindow.USER32 ref: 009D2312
GetWindowRect.USER32(00000000), ref: 009D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 009D2355
GetCursorPos.USER32(?), ref: 009D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009D23DF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 5684d4b2c732b0327db26a40749949ebe72868079138498aff42bb6ae0af8fbf
Instruction ID: 2bcf67fae23403ebd6dbae60d501b4332b8a27dacfd1d14b9aeb5b772ab78d96
Opcode Fuzzy Hash: 5684d4b2c732b0327db26a40749949ebe72868079138498aff42bb6ae0af8fbf
Instruction Fuzzy Hash: C631CD72548355ABCB20DF14C849B9BBBADFF84710F00491AF9959B291DB34EA09CB92

Function 009C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 009C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 009C9C8B

Part of subcall function 009C3874: GetInputState.USER32 ref: 009C38CB
Part of subcall function 009C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 009C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 009C9C75

Strings

*.*, xrefs: 009C9B5D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 718beafe2bf5913692ac0d258c3d7873f9d89c4e4d375dee3b381bdc898d59bb
Instruction ID: b00425c404ec026174181606d4b95de003f96ff4ebd5a80c462705f04e7dde6d
Opcode Fuzzy Hash: 718beafe2bf5913692ac0d258c3d7873f9d89c4e4d375dee3b381bdc898d59bb
Instruction Fuzzy Hash: 0E419E71D4420AAFCF14DF64C889FEEBBB8EF55310F208059E849A2191EB309E84CF61

Function 0096997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00969A4E
GetSysColor.USER32(0000000F), ref: 00969B23
SetBkColor.GDI32(?,00000000), ref: 00969B36

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: b4336a2a6dc17a8d0df9bc48fa71005fc21b33414989a225f3b4b90dff86e812
Instruction ID: a7459af0b61b75748f7f263885ab4688b4468d23e0897b2a80179a354668e7e9
Opcode Fuzzy Hash: b4336a2a6dc17a8d0df9bc48fa71005fc21b33414989a225f3b4b90dff86e812
Instruction Fuzzy Hash: 89A12870208444BEE725EBBD8C9AF7B76DDDB83340F15051AF502CA691CA399D02D6B2

Function 009D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009D307A
Part of subcall function 009D304E: _wcslen.LIBCMT ref: 009D309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009D185D
WSAGetLastError.WSOCK32 ref: 009D1884
bind.WSOCK32(00000000,?,00000010), ref: 009D18DB
WSAGetLastError.WSOCK32 ref: 009D18E6
closesocket.WSOCK32(00000000), ref: 009D1915

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: de5d105779896ddf39beb61c78fabe729062f7d74db4289bd8da6b64d1318a9e
Instruction ID: 9ef85ad87550ff03a45bffeb2e2979307f7f29571990e2ad59b72166c8ad2279
Opcode Fuzzy Hash: de5d105779896ddf39beb61c78fabe729062f7d74db4289bd8da6b64d1318a9e
Instruction Fuzzy Hash: 35519171A40200AFDB10EF24D886F2AB7E5AB84718F48C459FD559F393DB71AD42CBA1

Function 009E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009E1CC0
IsWindowEnabled.USER32 ref: 009E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 009E1CDB
IsIconic.USER32 ref: 009E1CE9
IsZoomed.USER32 ref: 009E1CF7

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0a5c9ec3bd5473b7bbca4ec79da740d4ac6099aebd3b2fe4f7000b34caf4c463
Instruction ID: 20e36692780ed953ae81b3949e9e18ca6acf144cf4a8d38662af22df2ea2f9eb
Opcode Fuzzy Hash: 0a5c9ec3bd5473b7bbca4ec79da740d4ac6099aebd3b2fe4f7000b34caf4c463
Instruction Fuzzy Hash: F721A6717442915FD7228F1BC884B6A7BE9FF85315B298468E885CB391C771EC42CB90

Function 00958060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009583FA
VUUU, xrefs: 00995DF0
VUUU, xrefs: 0095843C
VUUU, xrefs: 009583E8
ERCP, xrefs: 0095813C

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 7b577ee7e8c8c42f95a9423097be49e3eab655f166d7a616d24f296b95e034e2
Instruction ID: b64c5c7ff57943835b9f5f0c26848ed01c23d0654c1accc01a42ee16d214ee9d
Opcode Fuzzy Hash: 7b577ee7e8c8c42f95a9423097be49e3eab655f166d7a616d24f296b95e034e2
Instruction Fuzzy Hash: C4A29B70E0021ACBDF24CF59C8807AEB7B5BF54311F2585AAEC55AB284EB349D85CF90

Function 009BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 009BAAAC
SetKeyboardState.USER32(00000080), ref: 009BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 009BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 009BAB88

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b8f75af111fdd4b0112a5025d41ea727013f36dadf3c8b63f59ee68701ddd406
Instruction ID: 18ce59ea2e9164c9878e2197ed888c2360f9f92b56afaf9b959183bc4ad6fc1a
Opcode Fuzzy Hash: b8f75af111fdd4b0112a5025d41ea727013f36dadf3c8b63f59ee68701ddd406
Instruction Fuzzy Hash: EE314870A50268AEFF34CB64CD05BFA7BAAAB44330F04421BF1E1961D0D3788D85D762

Function 009CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 009CCE89
GetLastError.KERNEL32(?,00000000), ref: 009CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 009CCEFE

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: af38dda3765adca9659e6c304e8269b19184974852c76f37cfb291d977baba57
Instruction ID: 1a61049f0f38d2b5ad5a102883d7dbce31a091332b940122c8932bbc188f2465
Opcode Fuzzy Hash: af38dda3765adca9659e6c304e8269b19184974852c76f37cfb291d977baba57
Instruction Fuzzy Hash: A621EDB1900305ABDB20CF65C988FAA7BFCEB41344F10881EE64AD2151E734EE059B51

Function 009B8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009B82AA

Strings

(, xrefs: 009B82F0
|, xrefs: 009B82DA

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: f437807ad0426c1f20ea837ac9978c7f6df0c7d51cdc25aa3bbe6fb231fd403e
Instruction ID: b4fe12e028cef473e45ad830e42fdcb6045b0d454c8c83e60c380b8b8e1c0528
Opcode Fuzzy Hash: f437807ad0426c1f20ea837ac9978c7f6df0c7d51cdc25aa3bbe6fb231fd403e
Instruction Fuzzy Hash: FC323675A00605DFCB28CF59C581AAAB7F4FF48720B15C56EE49ADB3A1EB70E941CB40

Function 009C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009C5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 009C5D17
FindClose.KERNEL32(?), ref: 009C5D5F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 82a8793b136e6e02a9875ae1aff2afd7b0bb527962f2e4a97b97613adc9ab16e
Instruction ID: 1dcb9bd9588f5a2a9f9417410a895776bef3b1b70ca1bce95598bdd6a1059e2b
Opcode Fuzzy Hash: 82a8793b136e6e02a9875ae1aff2afd7b0bb527962f2e4a97b97613adc9ab16e
Instruction Fuzzy Hash: FE516674A047019FC714CF28C494E96B7E8BF49324F15855DE9AA8B3A2DB30FD45CB92

Function 00982622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0098271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00982724
UnhandledExceptionFilter.KERNEL32(?), ref: 00982731

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cd0b63fc9e72da9e90848e087c7e7eb9b36f50ba213b66c0e9c4a7a9955cef5c
Instruction ID: 25d086ba2495837bc4217624b119882eaff1cca3a12f51e6edd9b51649f72a9d
Opcode Fuzzy Hash: cd0b63fc9e72da9e90848e087c7e7eb9b36f50ba213b66c0e9c4a7a9955cef5c
Instruction Fuzzy Hash: 8931B375911318ABCB21DF68DD897DDBBB8AF48710F5081EAE81CA7261E7309F818F45

Function 009C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009C5238
SetErrorMode.KERNEL32(00000000), ref: 009C52A1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f45befbcab4b28c1e8fc0fb1688f083c826cdefa751b58108fb4bc060d172dc6
Instruction ID: b33ccaab0f1bc9b87ad38cba80baa12a62f77a4244c51b6d0f2fab182741b547
Opcode Fuzzy Hash: f45befbcab4b28c1e8fc0fb1688f083c826cdefa751b58108fb4bc060d172dc6
Instruction Fuzzy Hash: 6F313A75A00618DFDB00DF94D884FADBBB4FF48314F058099E845AB362DB35E85ACB91

Function 009B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0096FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00970668
Part of subcall function 0096FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00970685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B173A
GetLastError.KERNEL32 ref: 009B174A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a7a5b3462644169c798279d7b7a1a64ee92a46ed37b6aafc4448774052c78d37
Instruction ID: f586d772ab09de9f1a91237e95412dcf2dd2ac0de305a293fb5d8cb2ea802257
Opcode Fuzzy Hash: a7a5b3462644169c798279d7b7a1a64ee92a46ed37b6aafc4448774052c78d37
Instruction Fuzzy Hash: 3511E3B2414305AFD7189F54ECC6EABB7BDEB44724B20852EF05657281EB70FC428B60

Function 009BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 009BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009BD650

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 368a8d4a790aa62a87c8104d606e422231223af7312ad3a211ce141c5973f6e8
Instruction ID: e13dad5c03c77bfee20124ec3e5c5244a8724db7fc4c39f6d731fcbdc693d170
Opcode Fuzzy Hash: 368a8d4a790aa62a87c8104d606e422231223af7312ad3a211ce141c5973f6e8
Instruction Fuzzy Hash: AF117CB1E05228BBDB108F949C84FEFBFBCEB45B60F108111F904E7290D2704A018BA1

Function 009B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009B16A1
FreeSid.ADVAPI32(?), ref: 009B16B1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b5fd90ec8014832ca60a1a2feeb019a73e7c4b6d215956aa3bcc4e919cba904f
Instruction ID: 504eedd41d76ac265328f044fbb9f42ec7b5b0375a8d5ad0d9096063d64b74a8
Opcode Fuzzy Hash: b5fd90ec8014832ca60a1a2feeb019a73e7c4b6d215956aa3bcc4e919cba904f
Instruction Fuzzy Hash: D0F0F4B1950309FBDF00DFE49D89AAEBBBCEB08605F504565E501E6181E774AA449A50

Function 0098C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0098C36C

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 582b2739edc717edfa7d6b5544ab74920b94b4ee0bc7ec82fb187183d7db435e
Instruction ID: 7a5cdf3048ae9c218c3c5417ff729f3838e958caff45bf559d041c65a8db0657
Opcode Fuzzy Hash: 582b2739edc717edfa7d6b5544ab74920b94b4ee0bc7ec82fb187183d7db435e
Instruction Fuzzy Hash: 384129B2500219AFCB20AFB9DC49EBB777CEB84354F504269F915D7280E670DD818B60

Function 009AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 009AD28C

Strings

X64, xrefs: 009AD2A8

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 3a00d7356f50d1d1396d8b1afc01ae264771d507cb40ca12043c7704dfaafa87
Instruction ID: 1d02a49d64785e41255f9f1c2f747e428b6a5ed6272d859e287802f86caf8718
Opcode Fuzzy Hash: 3a00d7356f50d1d1396d8b1afc01ae264771d507cb40ca12043c7704dfaafa87
Instruction Fuzzy Hash: ABD0C9B481611DEACF90DB90DCC8DD9B37CBB04305F100551F506A2000D73495499F50

Function 0097CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 2a3e3a8fe29ae918bc43b47790ad41a20336ed06c68d3b64b909746b51d068a9
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: FA021DB2E001199FDF24CFA9C8806ADBBF5EF88314F25856DD919E7380D731AE418B94

Function 009C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009C6918
FindClose.KERNEL32(00000000), ref: 009C6961

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 775c7bbc8c937ec9bb28e5bd727ac64881df45e3078d77ff17e50582fb7b6cc8
Instruction ID: a970dbd92eade25528ae9a902611754bf38ad05e96d5b934499d44fc5227c256
Opcode Fuzzy Hash: 775c7bbc8c937ec9bb28e5bd727ac64881df45e3078d77ff17e50582fb7b6cc8
Instruction Fuzzy Hash: 3B117C71A142009FC710DF6AD885B16BBE5EF89329F14C69DE8698F2A2C730EC05CB91

Function 009C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,009D4891,?,?,00000035,?), ref: 009C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,009D4891,?,?,00000035,?), ref: 009C37F4

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 436f616c40b75b95d0a63c168dc3b699dcce24e410bd49ef2f7decdba30eb49a
Instruction ID: 9d50ad0d401a1c446e3a35bab905d37c43605033b838564819cf215712f1141e
Opcode Fuzzy Hash: 436f616c40b75b95d0a63c168dc3b699dcce24e410bd49ef2f7decdba30eb49a
Instruction Fuzzy Hash: 15F0ECB16043196AE71057668C4DFEB365EEFC5761F004165F509D2281D9609D04C7B1

Function 009BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 009BB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 009BB270

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 853c8c0a72a43675891e2e37e84af0422f723a402c2eb4bb9f11449d42384bd7
Instruction ID: 2cc06d150d43b86b70fad47049e6480da8c758cb9bfd49046083ce62c427909c
Opcode Fuzzy Hash: 853c8c0a72a43675891e2e37e84af0422f723a402c2eb4bb9f11449d42384bd7
Instruction Fuzzy Hash: 4DF01D7181428DABDB059FA1C805BEE7BB4FF04315F008409F965A9191C779D6119F94

Function 009B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B11FC), ref: 009B10D4
CloseHandle.KERNEL32(?,?,009B11FC), ref: 009B10E9

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 456004a2df53c88be8b0e85c6fdaf9683363a9cb446b259e94fd3195fce729c9
Instruction ID: 0f64de77e90fe30508aa698211aa2cf40b5c09e6ea1a0777ea58dbfeabcd84a6
Opcode Fuzzy Hash: 456004a2df53c88be8b0e85c6fdaf9683363a9cb446b259e94fd3195fce729c9
Instruction Fuzzy Hash: FAE04F72018600AEE7252B11FC05F737BADEB04320F10882EF4A5844B1DB626C90EB10

Function 0095CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 009A0C40

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 1a3cb024bb8fa4ffab279a2c5d74d86efbbb7629f0456e32f3c2125ae1346412
Instruction ID: 39af28ff27029acbfe7254b68ffc5f70a9f69936bc8d2fecf98eb2236d76eacc
Opcode Fuzzy Hash: 1a3cb024bb8fa4ffab279a2c5d74d86efbbb7629f0456e32f3c2125ae1346412
Instruction Fuzzy Hash: 86327AB09003189FCF14DF95C885BEDB7B9BF85305F248459EC06AB292D775AE49CB60

Function 0098676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00986766,?,?,00000008,?,?,0098FEFE,00000000), ref: 00986998

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48ab1851aef3568f68c8e37f52544a3c4b9c118adb458ab4f1a4bd2a1464ddac
Instruction ID: 2bb04ee265b5b26e717a8568b5ea0adfea49c234894c128cf265cd18c2cf94c5
Opcode Fuzzy Hash: 48ab1851aef3568f68c8e37f52544a3c4b9c118adb458ab4f1a4bd2a1464ddac
Instruction Fuzzy Hash: 41B13A31610609DFD719DF28C48AB657BE0FF45364F258658E89ACF3A2C736E991CB40

Function 0096B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 009A851F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fbf2f4147e9f6c8c403bc2f503e27289b8feb6b0264ec3d123aacd23618f5150
Instruction ID: db6bf6da0f881d202701081602e4a315e00172200923fc0d6d7d6a344eb52d4c
Opcode Fuzzy Hash: fbf2f4147e9f6c8c403bc2f503e27289b8feb6b0264ec3d123aacd23618f5150
Instruction Fuzzy Hash: 661230719002299FDB14CF58C8807EEB7F5FF49710F14819AE849EB255EB349E81CB90

Function 009CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 009CEABD

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e464d515dec6cec28fb4ab23621ea49c1180122db7293349b5000e4a50ffc73a
Instruction ID: e09263689145c2bcb40e907678f98b9e2d9415550ef2c9db8d0ac68946af9176
Opcode Fuzzy Hash: e464d515dec6cec28fb4ab23621ea49c1180122db7293349b5000e4a50ffc73a
Instruction Fuzzy Hash: A2E01A752102049FC710EF6AD844E9AB7E9AF98760F00841AFC4ACB291DA70A8458B91

Function 009709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009703EE), ref: 009709DA

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8cc5d2634f85f80753af343b0bbf1de7ae55a1e32236db00ed9e861c5fb04cdd
Instruction ID: 0c3688862f74e0f2b0020909b79d01f97799eae263cdb8fb561baad70f3dceb5
Opcode Fuzzy Hash: 8cc5d2634f85f80753af343b0bbf1de7ae55a1e32236db00ed9e861c5fb04cdd
Instruction Fuzzy Hash:

Function 0097781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0097798B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 8415728957ff13f459aa341b8aa1ddd1bbfaa42a1c1d029692f5be0c6ad55429
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2251246360D705ABDB3885E8C89E7FEE39D9B82340F18C919D98ED7282C615DE01D397

Function 00986DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90aabb33b83efc9119c6d00f9504735d421c0f4739cabeb8f2de4c054113cbfb
Instruction ID: 8455fa4eec3ebc8349c972ba2fecc8002249810634199cf83d162fed61e64e52
Opcode Fuzzy Hash: 90aabb33b83efc9119c6d00f9504735d421c0f4739cabeb8f2de4c054113cbfb
Instruction Fuzzy Hash: 1C32E321D3DF014DD723A634D862335A649AFB73C5F25D737F82AB5AA5EB29C4839200

Function 0096CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e88e67fe02cc198a326b0d3ee156241c9aa08722007e52aa9eeed87819d1910
Instruction ID: 86676dca6fd5a1f798212d512d09aa7265f233c8cf835a66f241121a40f31cb9
Opcode Fuzzy Hash: 3e88e67fe02cc198a326b0d3ee156241c9aa08722007e52aa9eeed87819d1910
Instruction Fuzzy Hash: C83249F2A041058BDF24CF2CC4946BD77A9EF46314F298966E4DADF291D238DD81DB90

Function 00957920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70efdfb599e284800158ed1c47f41aaf454c7af1c4eb406e635d88a6950bd2fb
Instruction ID: 8d7367d8d3eae76a1633b6fb5e6b6abd14818db38eeb94343da798bd6837d789
Opcode Fuzzy Hash: 70efdfb599e284800158ed1c47f41aaf454c7af1c4eb406e635d88a6950bd2fb
Instruction Fuzzy Hash: E222C1B0A0460ADFDF14CFA9D881AAEF7B5FF44300F114529E816A7291EB3A9E55CB50

Function 009591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab785ed40db95e6b5e0ab99186dc393da041d4ad2c98df65d111c2ad8738c6cf
Instruction ID: 6d94cae95cb9decb06d7f8c2f6dc73f3b3e04542bfe36c85ef44fba55b207705
Opcode Fuzzy Hash: ab785ed40db95e6b5e0ab99186dc393da041d4ad2c98df65d111c2ad8738c6cf
Instruction Fuzzy Hash: D202E7B1E00209EBDF04DF59D881BADBBB5FF44300F108569E8569B290EB35EE15CB91

Function 00989EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da925daf0f5bf2b7b61cccf4df4b65f42ecfcd74e9e6634eaa1af891030548fb
Instruction ID: aa45e08197413cc5e4ec7b8bd30c0b6904ac105790b81d57c8ccebe4ebef8753
Opcode Fuzzy Hash: da925daf0f5bf2b7b61cccf4df4b65f42ecfcd74e9e6634eaa1af891030548fb
Instruction Fuzzy Hash: E4B1F220D3AF414DD72396398831336B65CAFBB6D5F91D71BFC2674D22EB2686839240

Function 00971C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: d27ebe5f0793acf4693da80121f414e7c965682d5be1640e3c810269be559624
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 649187732080A34BDB2D463E857503EFFE55E923A131A879ED4FACA1C1FE24C954DA20

Function 00971F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7a29ca44380402d21491d9520e638023395e7ec391a068fda88f1cc9c10b1ed8
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: EC91867321D0A34EDB29433D857503EFFE59A923A131A879ED4FACB1C5EE24C554D620

Function 009719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: dee935ad5c4851c8f1f8644f69a8a3242c1a4ee090688998ce9f86e41b8e7686
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3891B5732090A34BDB2D427E847503DFFE95A923A131E879ED4FACA1C5FE24C658D620

Function 00977A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fbb3aa8e4b9e637f4fb2ee4830aa6e2131af5e073dc7507728c6456bb43b96
Instruction ID: b050c125d3976f127da9406931bf504741f8505c9309949b3e87dfa907e3f8d7
Opcode Fuzzy Hash: 28fbb3aa8e4b9e637f4fb2ee4830aa6e2131af5e073dc7507728c6456bb43b96
Instruction Fuzzy Hash: C8618B3374870596EE3899E88C96BBFE39CEF81700F14CD19E88ECB281D5159E42C755

Function 00977CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f5897f4371a536d9b944fb2f78976b1166cd34510b4632ff00822420fe631
Instruction ID: f940026c417a1fa2382a75512983d4bb3d4ae7d5ad12402edd167c03a525cad7
Opcode Fuzzy Hash: 4f8f5897f4371a536d9b944fb2f78976b1166cd34510b4632ff00822420fe631
Instruction Fuzzy Hash: 41618933348709A6DE384AE84855BBFE39CEF82704F10CD5AE94ECB2D1EA169D42C355

Function 00971706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 1bede7bf79cdc4fa8d90df90e949faa7b203ca94e2ce64423b9e37ad7557d864
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 278184336080A30BDB6D463E853507EFFE55A923A171A879ED4FACB1C1FE24C558E620

Function 009C2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f93f1b04781bb4fcbd7705bbc9054b35801cd75836d2728ca22772f7004fcbc
Instruction ID: abcc80746b52f89e390b19bbd4b6b0956e87a9c24a26111c3c7d102f88e250d0
Opcode Fuzzy Hash: 4f93f1b04781bb4fcbd7705bbc9054b35801cd75836d2728ca22772f7004fcbc
Instruction Fuzzy Hash: 1621A5326206118BD728CF79C822B7A73E9A754710F15862EE4A7C77D1DE35A905CB80

Function 009D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009D2B30
DeleteObject.GDI32(00000000), ref: 009D2B43
DestroyWindow.USER32 ref: 009D2B52
GetDesktopWindow.USER32 ref: 009D2B6D
GetWindowRect.USER32(00000000), ref: 009D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 009D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 009D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2CF8
GetClientRect.USER32(00000000,?), ref: 009D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D80
GlobalLock.KERNEL32(00000000), ref: 009D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D98
GlobalUnlock.KERNEL32(00000000), ref: 009D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2DA8
GlobalFree.KERNEL32(00000000), ref: 009D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,009EFC38,00000000), ref: 009D2DDB
GlobalFree.KERNEL32(00000000), ref: 009D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 009D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 009D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D303F

Strings

, xrefs: 009D2FC5
static, xrefs: 009D2D3A, 009D2E91
AutoIt v3, xrefs: 009D2CF2
DISPLAY, xrefs: 009D2EA2

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 363a7b2b50e8b3a8e6fc774d3cc2d3be66e99a25d2423bdb8de71b83982c0724
Instruction ID: cf0a16c15d10b53454daa66e4e4a0520f45511fb4c511e6758a9536888736c18
Opcode Fuzzy Hash: 363a7b2b50e8b3a8e6fc774d3cc2d3be66e99a25d2423bdb8de71b83982c0724
Instruction Fuzzy Hash: 75028CB1910205AFDB14DFA8CC89EAE7BB9FF48711F008559F915AB2A1D774ED02CB60

Function 009E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009E712F
GetSysColorBrush.USER32(0000000F), ref: 009E7160
GetSysColor.USER32(0000000F), ref: 009E716C
SetBkColor.GDI32(?,000000FF), ref: 009E7186
SelectObject.GDI32(?,?), ref: 009E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 009E71C0
GetSysColor.USER32(00000010), ref: 009E71C8
CreateSolidBrush.GDI32(00000000), ref: 009E71CF
FrameRect.USER32(?,?,00000000), ref: 009E71DE
DeleteObject.GDI32(00000000), ref: 009E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 009E7230
FillRect.USER32(?,?,?), ref: 009E7262
GetWindowLongW.USER32(?,000000F0), ref: 009E7284

Part of subcall function 009E73E8: GetSysColor.USER32(00000012), ref: 009E7421
Part of subcall function 009E73E8: SetTextColor.GDI32(?,?), ref: 009E7425
Part of subcall function 009E73E8: GetSysColorBrush.USER32(0000000F), ref: 009E743B
Part of subcall function 009E73E8: GetSysColor.USER32(0000000F), ref: 009E7446
Part of subcall function 009E73E8: GetSysColor.USER32(00000011), ref: 009E7463
Part of subcall function 009E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009E7471
Part of subcall function 009E73E8: SelectObject.GDI32(?,00000000), ref: 009E7482
Part of subcall function 009E73E8: SetBkColor.GDI32(?,00000000), ref: 009E748B
Part of subcall function 009E73E8: SelectObject.GDI32(?,?), ref: 009E7498
Part of subcall function 009E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009E74B7
Part of subcall function 009E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009E74CE
Part of subcall function 009E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009E74DB

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: c498f9956ac2660d384fe186dcce29d11108a8a8ca402c682e1f5648fc7515db
Instruction ID: 237c6f30d74d1e510338c280b383ffb3e768dbdedb674a60676a51e874bc343a
Opcode Fuzzy Hash: c498f9956ac2660d384fe186dcce29d11108a8a8ca402c682e1f5648fc7515db
Instruction Fuzzy Hash: 75A1B4B201C341BFD7019FA0DC88E5BBBA9FB49321F100A19FAA29A1E1D735DD45DB52

Function 00968D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00968E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 009A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 009A6F43

Part of subcall function 00968F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00968BE8,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 00968FC5

SendMessageW.USER32(?,00001053), ref: 009A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 009A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 009A6FB7

Strings

0, xrefs: 009A6DCF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f4c99525d28cd510e0ff7422a615d8d0d4de982bd85e7862c9bcfedafa0450bc
Instruction ID: 9209e3af3573b21de9a08a93531058d815e2828a3e8a41b79ea6f10f739fedac
Opcode Fuzzy Hash: f4c99525d28cd510e0ff7422a615d8d0d4de982bd85e7862c9bcfedafa0450bc
Instruction Fuzzy Hash: E312BF70204251DFDB25DF18C888BB6B7F9FB5A310F184569F5858B261CB32EC92DB91

Function 009D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 009D2900
GetClientRect.USER32(00000000,?), ref: 009D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 009D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009D2964
GetStockObject.GDI32(00000011), ref: 009D2974
SelectObject.GDI32(00000000,00000000), ref: 009D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 009D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009D2991
DeleteDC.GDI32(00000000), ref: 009D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 009D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 009D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 009D2A77
GetStockObject.GDI32(00000011), ref: 009D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 009D2A97

Strings

msctls_progress32, xrefs: 009D2A13
static, xrefs: 009D294F, 009D2A71
AutoIt v3, xrefs: 009D28F8
DISPLAY, xrefs: 009D295A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b09f0fc31254db7d6367056739d9ad6acaab6596f49b6d37cba23921009fdf2b
Instruction ID: 74141b7dc1b9965f06bf037cd8a2533c17e737b6bed088ee779a94f17065a239
Opcode Fuzzy Hash: b09f0fc31254db7d6367056739d9ad6acaab6596f49b6d37cba23921009fdf2b
Instruction Fuzzy Hash: C7B17EB1A40205AFEB24DFA8DC85FAE7BA9FB58711F008115F914EB290D770ED42CB90

Function 009C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C4AED
GetDriveTypeW.KERNEL32(?,009ECB68,?,\\.\,009ECC08), ref: 009C4BCA
SetErrorMode.KERNEL32(00000000,009ECB68,?,\\.\,009ECC08), ref: 009C4D36

Strings

SSD, xrefs: 009C4C4A
SSA, xrefs: 009C4CA6
SATA, xrefs: 009C4CD0
iSCSI, xrefs: 009C4CC2
RAID, xrefs: 009C4CBB
CDROM, xrefs: 009C4BFB
SCSI, xrefs: 009C4C8A
ATA, xrefs: 009C4C98
Network, xrefs: 009C4C02
Virtual, xrefs: 009C4CE5
1394, xrefs: 009C4C9F
Unknown, xrefs: 009C4BED, 009C4C83
ATAPI, xrefs: 009C4C91
\\.\, xrefs: 009C4B3F
PhysicalDrive, xrefs: 009C4B76
FileBackedVirtual, xrefs: 009C4CEC
USB, xrefs: 009C4CB4
SAS, xrefs: 009C4CC9
Removable, xrefs: 009C4C10, 009C4C15
Fixed, xrefs: 009C4C09
RAMDisk, xrefs: 009C4BF4
Fibre, xrefs: 009C4CAD
MMC, xrefs: 009C4CDE

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a9ab68e5ab476f4aa3cd0c4ab4d5c44c8302a0dcc1ec3f2e294e9d9373487790
Instruction ID: 71dd3ec434edb98dcc57b088ae4fffee64216d60c4f9b0e885cb2975d16cf7d9
Opcode Fuzzy Hash: a9ab68e5ab476f4aa3cd0c4ab4d5c44c8302a0dcc1ec3f2e294e9d9373487790
Instruction Fuzzy Hash: 3761B130B45505ABDB04DF24DAA2FED77A4AB44300B24481DF886EB2A1DB39ED81DB42

Function 009E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 009E7421
SetTextColor.GDI32(?,?), ref: 009E7425
GetSysColorBrush.USER32(0000000F), ref: 009E743B
GetSysColor.USER32(0000000F), ref: 009E7446
CreateSolidBrush.GDI32(?), ref: 009E744B
GetSysColor.USER32(00000011), ref: 009E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 009E7471
SelectObject.GDI32(?,00000000), ref: 009E7482
SetBkColor.GDI32(?,00000000), ref: 009E748B
SelectObject.GDI32(?,?), ref: 009E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 009E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 009E7572
DrawFocusRect.USER32(?,?), ref: 009E757D
GetSysColor.USER32(00000011), ref: 009E758E
SetTextColor.GDI32(?,00000000), ref: 009E7596
DrawTextW.USER32(?,009E70F5,000000FF,?,00000000), ref: 009E75A8
SelectObject.GDI32(?,?), ref: 009E75BF
DeleteObject.GDI32(?), ref: 009E75CA
SelectObject.GDI32(?,?), ref: 009E75D0
DeleteObject.GDI32(?), ref: 009E75D5
SetTextColor.GDI32(?,?), ref: 009E75DB
SetBkColor.GDI32(?,?), ref: 009E75E5

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0c18d8f98e03a5074a86658358dc2c7ef1b85b1c519bf361df065b55a9d010ff
Instruction ID: 13029f3f2a2b66d7ff52084f81979634ee7e0e7316d8c7f34e34e102dafdf3cf
Opcode Fuzzy Hash: 0c18d8f98e03a5074a86658358dc2c7ef1b85b1c519bf361df065b55a9d010ff
Instruction Fuzzy Hash: D9618FB2908258AFDF019FA4DC88EEEBFB9EB08320F104115F911AB2A1D7749D41DF90

Function 009E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009E1128
GetDesktopWindow.USER32 ref: 009E113D
GetWindowRect.USER32(00000000), ref: 009E1144
GetWindowLongW.USER32(?,000000F0), ref: 009E1199
DestroyWindow.USER32(?), ref: 009E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 009E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 009E1245
IsWindowVisible.USER32(00000000), ref: 009E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009E12D0
GetWindowRect.USER32(00000000,?), ref: 009E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 009E130E
GetMonitorInfoW.USER32(00000000,?), ref: 009E1328
CopyRect.USER32(?,?), ref: 009E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009E13AA

Strings

tooltips_class32, xrefs: 009E11E6
0, xrefs: 009E10D3
(, xrefs: 009E131B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0883299ebe630b5209770505c2be0ab4cbb3c7682d7b378e8441367b03ecb00c
Instruction ID: 16b91cc4acb99825e15dd3265baa3ae73ec8660e2cd2036d471e87c92145d2ac
Opcode Fuzzy Hash: 0883299ebe630b5209770505c2be0ab4cbb3c7682d7b378e8441367b03ecb00c
Instruction Fuzzy Hash: 6EB17C71608381AFDB15DF66C884B6BBBE4FF88750F008918F9999B2A1D731EC45CB91

Function 009E0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009E02E5
_wcslen.LIBCMT ref: 009E031F
_wcslen.LIBCMT ref: 009E0389
_wcslen.LIBCMT ref: 009E03F1
_wcslen.LIBCMT ref: 009E0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009E04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009E0504

Part of subcall function 0096F9F2: _wcslen.LIBCMT ref: 0096F9FD

Part of subcall function 009B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009B2258
Part of subcall function 009B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009B228A

Strings

DESELECT, xrefs: 009E059C
SELECTINVERT, xrefs: 009E057E
VIEWCHANGE, xrefs: 009E0675
GETITEMCOUNT, xrefs: 009E0316, 009E0337
GETSELECTEDCOUNT, xrefs: 009E0470, 009E048B
SELECTALL, xrefs: 009E0515
SELECT, xrefs: 009E0548
SELECTCLEAR, xrefs: 009E052D
ISSELECTED, xrefs: 009E04DD
GETSUBITEMCOUNT, xrefs: 009E0384, 009E039F
GETTEXT, xrefs: 009E03EC, 009E0407
FINDITEM, xrefs: 009E0627
GETSELECTED, xrefs: 009E05E1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 2dd3f6a29716dea0d19f3666cdada165e154305be49413a14202fa012da6b283
Instruction ID: 8c72654d3dae756823e9a744b444d29a40af1e9b5999a9367d1792a1cac4d4a0
Opcode Fuzzy Hash: 2dd3f6a29716dea0d19f3666cdada165e154305be49413a14202fa012da6b283
Instruction Fuzzy Hash: 90E19F312082819FC715DF26C551A6EB3E6BFC8714F144A5CF8969B3A1EB70ED86CB81

Function 00968891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00968968
GetSystemMetrics.USER32(00000007), ref: 00968970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0096899B
GetSystemMetrics.USER32(00000008), ref: 009689A3
GetSystemMetrics.USER32(00000004), ref: 009689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00968A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00968A3C
GetClientRect.USER32(00000000,000000FF), ref: 00968A5A
GetStockObject.GDI32(00000011), ref: 00968A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00968A81

Part of subcall function 0096912D: GetCursorPos.USER32(?), ref: 00969141
Part of subcall function 0096912D: ScreenToClient.USER32(00000000,?), ref: 0096915E
Part of subcall function 0096912D: GetAsyncKeyState.USER32(00000001), ref: 00969183
Part of subcall function 0096912D: GetAsyncKeyState.USER32(00000002), ref: 0096919D

SetTimer.USER32(00000000,00000000,00000028,009690FC), ref: 00968AA8

Strings

AutoIt v3 GUI, xrefs: 00968A20

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 42bb7e8bb46c0c02d2b903de02089187b7df5b8f9240847c811ff61b6e9c8a69
Instruction ID: c999d280c84e49393ad3a69b43ff358625cfb952fdfab5258bddbd3f691671c5
Opcode Fuzzy Hash: 42bb7e8bb46c0c02d2b903de02089187b7df5b8f9240847c811ff61b6e9c8a69
Instruction Fuzzy Hash: 63B17E71A04209AFDF14DFA8DC85BAE3BB5FB48314F144229FA55AB290DB34E842CF50

Function 009B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B1114
Part of subcall function 009B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1120
Part of subcall function 009B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B112F
Part of subcall function 009B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1136
Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009B0E29
GetLengthSid.ADVAPI32(?), ref: 009B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 009B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009B0E96
GetLengthSid.ADVAPI32(?), ref: 009B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009B0EB5
HeapAlloc.KERNEL32(00000000), ref: 009B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009B0EDD
CopySid.ADVAPI32(00000000), ref: 009B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0F6E
HeapFree.KERNEL32(00000000), ref: 009B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0F7E
HeapFree.KERNEL32(00000000), ref: 009B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0F8E
HeapFree.KERNEL32(00000000), ref: 009B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 009B0FA1
HeapFree.KERNEL32(00000000), ref: 009B0FA8

Part of subcall function 009B1193: GetProcessHeap.KERNEL32(00000008,009B0BB1,?,00000000,?,009B0BB1,?), ref: 009B11A1
Part of subcall function 009B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009B0BB1,?), ref: 009B11A8
Part of subcall function 009B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009B0BB1,?), ref: 009B11B7

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3ff0cf65ed2b44c0a112d55c713b6595a674d607242e5537c0c7ba493ac2c942
Instruction ID: aff6879755e041f6f85ff92c6bc9be66160656b8753a4165eaa68ae0489449d8
Opcode Fuzzy Hash: 3ff0cf65ed2b44c0a112d55c713b6595a674d607242e5537c0c7ba493ac2c942
Instruction Fuzzy Hash: 45716CB2A0420AABDF209FA4DD48BEFBBBCBF45311F048155F959AA191D7319E05CB60

Function 009DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,009ECC08,00000000,?,00000000,?,?), ref: 009DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 009DC5A4
_wcslen.LIBCMT ref: 009DC5F4
_wcslen.LIBCMT ref: 009DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 009DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 009DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 009DC84D
RegCloseKey.ADVAPI32(?), ref: 009DC881
RegCloseKey.ADVAPI32(00000000), ref: 009DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 009DC960

Strings

REG_QWORD, xrefs: 009DC8C3
REG_EXPAND_SZ, xrefs: 009DC5CD
REG_SZ, xrefs: 009DC644
REG_DWORD, xrefs: 009DC804
REG_MULTI_SZ, xrefs: 009DC6F5
REG_BINARY, xrefs: 009DC913

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b89e4c8d2b706d765e706afd18b3b06e02602c5d82f0c64521c397230547b2c8
Instruction ID: 63e6fc838bb3e93d613441f6cdb0056771f4ed42bca72b0ccab52eee89f76338
Opcode Fuzzy Hash: b89e4c8d2b706d765e706afd18b3b06e02602c5d82f0c64521c397230547b2c8
Instruction Fuzzy Hash: CD1267756082019FCB14DF15C891F2AB7E5EF88725F04885DF88A9B3A2DB31ED46CB81

Function 009E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009E09C6
_wcslen.LIBCMT ref: 009E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E0A54
_wcslen.LIBCMT ref: 009E0A8A
_wcslen.LIBCMT ref: 009E0B06
_wcslen.LIBCMT ref: 009E0B81

Part of subcall function 0096F9F2: _wcslen.LIBCMT ref: 0096F9FD

Part of subcall function 009B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009B2BFA

Strings

GETTOTALCOUNT, xrefs: 009E09F2, 009E0A17
GETTEXT, xrefs: 009E0C97
UNCHECK, xrefs: 009E0D3E
GETSELECTED, xrefs: 009E0C4E
COLLAPSE, xrefs: 009E0B01, 009E0B1C
CHECK, xrefs: 009E0A85, 009E0AA0
EXPAND, xrefs: 009E0BF8
GETITEMCOUNT, xrefs: 009E0C1E
EXISTS, xrefs: 009E0B7C, 009E0B97
SELECT, xrefs: 009E0D11
ISCHECKED, xrefs: 009E0CE1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c215b63f5b676024bca536e8067fe0f4e484f3614eebb4cd57226d39a91c1b33
Instruction ID: 710281a93adbd41ddd280339e55c8ae3a4753acd02f207f700e9a934bfa3d46e
Opcode Fuzzy Hash: c215b63f5b676024bca536e8067fe0f4e484f3614eebb4cd57226d39a91c1b33
Instruction Fuzzy Hash: 97E18C312083819FCB15DF26C450A6AB7E5BFD8314F14895DF8969B3A2D770ED8ACB81

Function 009DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
_wcslen.LIBCMT ref: 009DC9F1
_wcslen.LIBCMT ref: 009DCA68
_wcslen.LIBCMT ref: 009DCA9E
_wcslen.LIBCMT ref: 009DCAF9
_wcslen.LIBCMT ref: 009DCB2F
_wcslen.LIBCMT ref: 009DCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 009DCA62, 009DCA67
HKEY_CURRENT_CONFIG, xrefs: 009DCB79, 009DCB7E
HKEY_CURRENT_USER, xrefs: 009DCBBD
HKCU, xrefs: 009DCBCE
HKCC, xrefs: 009DCBAC
HKLM, xrefs: 009DCA98, 009DCA9D
HKU, xrefs: 009DCBF0
HKEY_USERS, xrefs: 009DCBDF
HKCR, xrefs: 009DCB29, 009DCB2E
HKEY_CLASSES_ROOT, xrefs: 009DCAF3, 009DCAF8

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7b1a310783454cceabbd162492e10b0877bb52d2dca91a78e750f069d5275244
Instruction ID: 452bb24f9fcf85d8f535b94fa9c9af4f21a4fdc1c494866fa896cce5e1cad278
Opcode Fuzzy Hash: 7b1a310783454cceabbd162492e10b0877bb52d2dca91a78e750f069d5275244
Instruction Fuzzy Hash: 4A7107B369012B8BCB20DE7CCD516BE33A9ABA0794F158927FC559B384E634CD85C390

Function 009E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009E835A
_wcslen.LIBCMT ref: 009E836E
_wcslen.LIBCMT ref: 009E8391
_wcslen.LIBCMT ref: 009E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009E5BF2), ref: 009E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009E8501
FreeLibrary.KERNEL32(?), ref: 009E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009E851D
DestroyIcon.USER32(?,?,?,?,?,009E5BF2), ref: 009E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009E8555

Strings

.dll, xrefs: 009E83AB
.icl, xrefs: 009E8368
.exe, xrefs: 009E8388

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: eade99f8bc756127ea5069b125551ac63f44ced0e36d22f6dc0195c6ca02aac6
Instruction ID: 2df8330fad290379b79a03a795f2aebfaa4c7eed49e8fe55efdb559f8142bad5
Opcode Fuzzy Hash: eade99f8bc756127ea5069b125551ac63f44ced0e36d22f6dc0195c6ca02aac6
Instruction Fuzzy Hash: 7F61DDB1504245BAEB15DFA5CC81BBF77ACBB48B11F104549F819DA0E1EF74AE80D7A0

Function 00957778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 009578ED
#include, xrefs: 00957847
#comments-start, xrefs: 0095785F, 009578B1
#requireadmin, xrefs: 009577FF
#OnAutoItStartRegister, xrefs: 00957817
', xrefs: 00995169
Cannot parse #include, xrefs: 00995279
#comments-end, xrefs: 009578D9
Unterminated group of comments, xrefs: 0099528C
", xrefs: 00995153
#include-once, xrefs: 0095782F
#cs, xrefs: 00957873, 009578C5
Bad directive syntax error, xrefs: 0099519A
#notrayicon, xrefs: 009577E7
#pragma compile, xrefs: 009577D3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ea86ea5b80364adf80a172b287349b552c222fbb1744124f9702a782e51a76ba
Instruction ID: 7639fbaee686c5218b3a07f144b51f528458b5b037d0b320e0866b2d6b90ec52
Opcode Fuzzy Hash: ea86ea5b80364adf80a172b287349b552c222fbb1744124f9702a782e51a76ba
Instruction Fuzzy Hash: 48813871644205BBDF22EFA5EC52FAF77A8AF84301F144425FD08AA192EB70DB05C7A1

Function 009C3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 009C3EF8
_wcslen.LIBCMT ref: 009C3F03
_wcslen.LIBCMT ref: 009C3F5A
_wcslen.LIBCMT ref: 009C3F98
GetDriveTypeW.KERNEL32(?), ref: 009C3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C4087

Strings

set cd door , xrefs: 009C4028
open , xrefs: 009C3FE5
wait, xrefs: 009C4044
type cdaudio alias cd wait, xrefs: 009C4001
close cd wait, xrefs: 009C4072
close, xrefs: 009C3EFE, 009C3F18
closed, xrefs: 009C3F08, 009C3F2D, 009C3F46, 009C3F7E, 009C3F97
open, xrefs: 009C3F54, 009C3F59

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 8a21dddb658556b7c90849f3ee7db841fa8bf377c686d5d1a5b9cf23aad72ed7
Instruction ID: ab8968649e312b619c66f5893c91b283de076387edcfa2f542b5242d9347e9a8
Opcode Fuzzy Hash: 8a21dddb658556b7c90849f3ee7db841fa8bf377c686d5d1a5b9cf23aad72ed7
Instruction Fuzzy Hash: BF71C072A043019FD310EF25C891AAAB7F8EF94754F408D2DF99697251EB30DE49CB92

Function 009B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 009B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009B5A40
SetWindowTextW.USER32(?,?), ref: 009B5A57
GetDlgItem.USER32(?,000003EA), ref: 009B5A6C
SetWindowTextW.USER32(00000000,?), ref: 009B5A72
GetDlgItem.USER32(?,000003E9), ref: 009B5A82
SetWindowTextW.USER32(00000000,?), ref: 009B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009B5AC3
GetWindowRect.USER32(?,?), ref: 009B5ACC
_wcslen.LIBCMT ref: 009B5B33
SetWindowTextW.USER32(?,?), ref: 009B5B6F
GetDesktopWindow.USER32 ref: 009B5B75
GetWindowRect.USER32(00000000), ref: 009B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 009B5BD3
GetClientRect.USER32(?,?), ref: 009B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 009B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009B5C2F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f55e72ffbfc74703e0789bf898618cc5ddecff4df07c3391c4ef3888b19f84f8
Instruction ID: b3005c29732dd52f1f664d678f378facbdcb528844b1c9850f6dcb0e6cc6a7f6
Opcode Fuzzy Hash: f55e72ffbfc74703e0789bf898618cc5ddecff4df07c3391c4ef3888b19f84f8
Instruction Fuzzy Hash: 93717D71900B09AFDB20DFA8CE85BAEBBF9FF48714F114918E582A65A0D775ED41CB10

Function 009CFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 009CFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 009CFE32
LoadCursorW.USER32(00000000,00007F00), ref: 009CFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 009CFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 009CFE53
LoadCursorW.USER32(00000000,00007F01), ref: 009CFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 009CFE69
LoadCursorW.USER32(00000000,00007F88), ref: 009CFE74
LoadCursorW.USER32(00000000,00007F80), ref: 009CFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 009CFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 009CFE95
LoadCursorW.USER32(00000000,00007F85), ref: 009CFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 009CFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 009CFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 009CFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 009CFECC
GetCursorInfo.USER32(?), ref: 009CFEDC
GetLastError.KERNEL32 ref: 009CFF1E

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 4bdab874a027bc2bf49c2e1520bd31aa17414cb98b07088546cfeef1cff4388e
Instruction ID: ade280c84d06999da94addf674898015bcc0093520430e140ef64a2dba7baebb
Opcode Fuzzy Hash: 4bdab874a027bc2bf49c2e1520bd31aa17414cb98b07088546cfeef1cff4388e
Instruction Fuzzy Hash: 754172B0D083196ADB10DFBA8C89D5EBFE9FF04354B50452AE11DEB281DB78A901CF91

Function 009700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009700C6

Part of subcall function 009700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A2070C,00000FA0,15A1D9CE,?,?,?,?,009923B3,000000FF), ref: 0097011C
Part of subcall function 009700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009923B3,000000FF), ref: 00970127
Part of subcall function 009700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009923B3,000000FF), ref: 00970138
Part of subcall function 009700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0097014E
Part of subcall function 009700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0097015C
Part of subcall function 009700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0097016A
Part of subcall function 009700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00970195
Part of subcall function 009700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009701A0

___scrt_fastfail.LIBCMT ref: 009700E7

Part of subcall function 009700A3: __onexit.LIBCMT ref: 009700A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00970122
SleepConditionVariableCS, xrefs: 00970154
WakeAllConditionVariable, xrefs: 00970162
kernel32.dll, xrefs: 00970133
InitializeConditionVariable, xrefs: 00970148

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 19f3f82f25a79e75878e9f6a98597283c6948491cb4d5bca7727e4674ca4f44b
Instruction ID: 7c462ba25f2fb1341ed2931692c7db7c4e020e1c12c825523a88fb1cee9383c3
Opcode Fuzzy Hash: 19f3f82f25a79e75878e9f6a98597283c6948491cb4d5bca7727e4674ca4f44b
Instruction Fuzzy Hash: E4213B7364C750EFD7215BA8AC56F6A3798EBC4F64F00813AF805A76D2DB709C018A90

Function 009B30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B318D
_wcslen.LIBCMT ref: 009B31F8

Strings

REGEXPCLASS, xrefs: 009B3255, 009B3266
INSTANCE, xrefs: 009B3453
CLASSNN, xrefs: 009B31F3, 009B3204
TEXT, xrefs: 009B347C
NAME, xrefs: 009B3335, 009B3346
CLASS, xrefs: 009B3188, 009B31A5

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1309930b6c4e3c80246f002da48bb7c545d8dc613fb6993a6329a2055a5c183d
Instruction ID: 6c2c34751254481a147b91b0fdf6aa66e19f283a7825be09f1957b1a386bddde
Opcode Fuzzy Hash: 1309930b6c4e3c80246f002da48bb7c545d8dc613fb6993a6329a2055a5c183d
Instruction Fuzzy Hash: 48E10832A04516EBCB24DF78C5517EEBBB9BF84720F54C519E45AF7240DB30AE898790

Function 009C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,009ECC08), ref: 009C4527
_wcslen.LIBCMT ref: 009C453B
_wcslen.LIBCMT ref: 009C4599
_wcslen.LIBCMT ref: 009C45F4
_wcslen.LIBCMT ref: 009C463F
_wcslen.LIBCMT ref: 009C46A7

Part of subcall function 0096F9F2: _wcslen.LIBCMT ref: 0096F9FD

GetDriveTypeW.KERNEL32(?,00A16BF0,00000061), ref: 009C4743

Strings

removable, xrefs: 009C45EA, 009C45EF
unknown, xrefs: 009C4708
ramdisk, xrefs: 009C46F1
cdrom, xrefs: 009C458F, 009C4594
fixed, xrefs: 009C4635, 009C463A
all, xrefs: 009C4531, 009C4536
network, xrefs: 009C469D, 009C46A2

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ea5f49c11d6004608cbc648858e0d8ac303c85749554530870167b84e79f9922
Instruction ID: dc63a89a82abc69c8a9863f0999fcbe9d3a4753ce8c6f6a7d7ac4fbd9a241ab7
Opcode Fuzzy Hash: ea5f49c11d6004608cbc648858e0d8ac303c85749554530870167b84e79f9922
Instruction Fuzzy Hash: BDB1DE71A083029BC710DF28C9A0F6AB7E9AFE5764F50491DF596C7296D730D848CBA3

Function 009D3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009ECC08), ref: 009D40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009D40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,009ECC08), ref: 009D40F2
FreeLibrary.KERNEL32(00000000,?,009ECC08), ref: 009D413E
StringFromGUID2.OLE32(?,?,00000028,?,009ECC08), ref: 009D41A8
SysFreeString.OLEAUT32(00000009), ref: 009D4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009D42C8
SysFreeString.OLEAUT32(?), ref: 009D42F2

Strings

GetModuleHandleExW, xrefs: 009D40C7
kernel32.dll, xrefs: 009D40B6

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: e6c63b03a24e65692c9c506ef0e88d9fc4185636e423db7d287aca5f94caf165
Instruction ID: 6e9f91d51c5226baf33200a1c5faf8618100916fb73c64d05b369ebaefb2abfa
Opcode Fuzzy Hash: e6c63b03a24e65692c9c506ef0e88d9fc4185636e423db7d287aca5f94caf165
Instruction Fuzzy Hash: 0A122975A00109EFDB14CF94C884EAEB7B9BF85314F24C099F945AB261D731ED86CBA0

Function 0095326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00A21990), ref: 00992F8D
GetMenuItemCount.USER32(00A21990), ref: 0099303D
GetCursorPos.USER32(?), ref: 00993081
SetForegroundWindow.USER32(00000000), ref: 0099308A
TrackPopupMenuEx.USER32(00A21990,00000000,?,00000000,00000000,00000000), ref: 0099309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009930A9

Strings

0, xrefs: 0095327D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 8fc3b8a443589769a01fc58a27846a4877c5744ac0852a5479ab667722fc12b4
Instruction ID: fb121b27b722a7c1fe1876d0f35e22ea1e0fd2f64e05b95592074fe42aafc914
Opcode Fuzzy Hash: 8fc3b8a443589769a01fc58a27846a4877c5744ac0852a5479ab667722fc12b4
Instruction Fuzzy Hash: F6710770644205BEEF21CF69CC89FAABF68FF45364F204216F9256A1E0C7B1AD14DB90

Function 009E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 009E6DEB

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E6E94
DestroyWindow.USER32(?), ref: 009E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00950000,00000000), ref: 009E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E6EFD
GetDesktopWindow.USER32 ref: 009E6F16
GetWindowRect.USER32(00000000), ref: 009E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009E6F4D

Part of subcall function 00969944: GetWindowLongW.USER32(?,000000EB), ref: 00969952

Strings

tooltips_class32, xrefs: 009E6E58, 009E6EDD
0, xrefs: 009E6D98

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 09790e4f818f9de5e40466b514577bf4660bdde4f5d4d085195300305cc3f96e
Instruction ID: 154488f543ad2a1b2a82cd5cfae058e48d492cb1d21c898f95ee5822a3e8ae77
Opcode Fuzzy Hash: 09790e4f818f9de5e40466b514577bf4660bdde4f5d4d085195300305cc3f96e
Instruction Fuzzy Hash: DE7168B0104285AFDB22CF19D884BBABBE9FB99744F04081DF999872A1C770ED46DB11

Function 009E911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

DragQueryPoint.SHELL32(?,?), ref: 009E9147

Part of subcall function 009E7674: ClientToScreen.USER32(?,?), ref: 009E769A
Part of subcall function 009E7674: GetWindowRect.USER32(?,?), ref: 009E7710
Part of subcall function 009E7674: PtInRect.USER32(?,?,009E8B89), ref: 009E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 009E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 009E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 009E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 009E9277
DragFinish.SHELL32(?), ref: 009E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009E9371

Strings

@GUI_DRAGID, xrefs: 009E92E9
@GUI_DROPID, xrefs: 009E929E
@GUI_DRAGFILE, xrefs: 009E9320

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: ef9cdbe806441d9317427ee89d7d75309774a144a6665692c1f422030eea718e
Instruction ID: d6d0b0ca413415deb220c677dd169f8aa82f9811a4bd22f501636fea56292665
Opcode Fuzzy Hash: ef9cdbe806441d9317427ee89d7d75309774a144a6665692c1f422030eea718e
Instruction Fuzzy Hash: D1618B71108341AFD701DF65DC85EAFBBE8EFC9750F00092EF995962A1DB309A4ACB52

Function 009CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 009CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009CC5F0
InternetCloseHandle.WININET(00000000), ref: 009CC5FB

Strings

, xrefs: 009CC575

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 568731b8c05923d91d1bd5f81b54b3b4c1572892b034cc5fe1dd88f7dcb7c73a
Instruction ID: b2dcae4306e7131d567f5ce4be970710a16aaa3149adad4143720f2897f8e927
Opcode Fuzzy Hash: 568731b8c05923d91d1bd5f81b54b3b4c1572892b034cc5fe1dd88f7dcb7c73a
Instruction Fuzzy Hash: F4514BF1904245BFEB218F64C988FAA7FBCEB08744F00841DF99996250DB35ED45AB62

Function 009E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 009E8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85BA
GlobalLock.KERNEL32(00000000), ref: 009E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85D7
GlobalUnlock.KERNEL32(00000000), ref: 009E85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,009EFC38,?), ref: 009E8611
GlobalFree.KERNEL32(00000000), ref: 009E8621
GetObjectW.GDI32(?,00000018,?), ref: 009E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 009E8671
DeleteObject.GDI32(?), ref: 009E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009E86AF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b7028634b470e419334104c494d84d82f74c23aadb03b51e391f2ce30016c006
Instruction ID: e44273a1c1c8e5e4f23b7a1ffeec68148814711263cdfe183cc596ea4aa71fb1
Opcode Fuzzy Hash: b7028634b470e419334104c494d84d82f74c23aadb03b51e391f2ce30016c006
Instruction Fuzzy Hash: 1E410BB5614244AFDB119FA5CC88EAB7BBCEB89B15F104058F959EB260DB309D02DB60

Function 009C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 009C1502
VariantCopy.OLEAUT32(?,?), ref: 009C150B
VariantClear.OLEAUT32(?), ref: 009C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 009C1657
VariantInit.OLEAUT32(?), ref: 009C1708
SysFreeString.OLEAUT32(?), ref: 009C178C
VariantClear.OLEAUT32(?), ref: 009C17D8
VariantClear.OLEAUT32(?), ref: 009C17E7
VariantInit.OLEAUT32(00000000), ref: 009C1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 009C1625
Default, xrefs: 009C16AF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 5ced6a49ded0c642cc2873b2c4c16ae1d72b3fba8bd3672c241f29032aec7c05
Instruction ID: 6ff3a542dcca134e365c9120762add4a98c7c8659cecdccdfe38c6a001cc09fb
Opcode Fuzzy Hash: 5ced6a49ded0c642cc2873b2c4c16ae1d72b3fba8bd3672c241f29032aec7c05
Instruction Fuzzy Hash: 8BD11E71A00200EBDB00DF65E894F79B7B5BF8A700F50849AF846AB192DB34EC45DB66

Function 009DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 009DB80A
RegCloseKey.ADVAPI32(?), ref: 009DB87E
RegCloseKey.ADVAPI32(?), ref: 009DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 009DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 009DB922
FreeLibrary.KERNEL32(00000000), ref: 009DB983
RegCloseKey.ADVAPI32(00000000), ref: 009DB994

Strings

RegDeleteKeyExW, xrefs: 009DB8FE
advapi32.dll, xrefs: 009DB8ED

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: de012b9e1e6310a142d1d82afc43b2c6744424f3e788b5c5fbb77cc961cf839c
Instruction ID: 17e6c9040edebedf6ecf5e4152cb46dbef82d3b4a617298652d365cd794b7be3
Opcode Fuzzy Hash: de012b9e1e6310a142d1d82afc43b2c6744424f3e788b5c5fbb77cc961cf839c
Instruction Fuzzy Hash: 5BC17974208241EFD710DF25C494F2ABBE5AF84318F15C95DE89A8B3A2CB35ED46CB91

Function 009D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009D25E8
CreateCompatibleDC.GDI32(?), ref: 009D25F4
SelectObject.GDI32(00000000,?), ref: 009D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 009D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009D26D0
SelectObject.GDI32(?,?), ref: 009D26D8
DeleteObject.GDI32(?), ref: 009D26E1
DeleteDC.GDI32(?), ref: 009D26E8
ReleaseDC.USER32(00000000,?), ref: 009D26F3

Strings

(, xrefs: 009D268D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 050dd4f044894e85282e958e3c1577cd1cd45391cdc9c851dd7ab2e6d7001ceb
Instruction ID: 205d2056404760184b8475d4fc17042502bedb0662f96b4fc2ce2da529bc178b
Opcode Fuzzy Hash: 050dd4f044894e85282e958e3c1577cd1cd45391cdc9c851dd7ab2e6d7001ceb
Instruction Fuzzy Hash: 0B61E1B5D04219EFCF15CFA8D884AAEBBB5FF48310F20852AE955A7350D770AD419F60

Function 0098DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0098DAA1

Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D659
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D66B
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D67D
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D68F
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6A1
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6B3
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6C5
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6D7
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6E9
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6FB
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D70D
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D71F
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D731

_free.LIBCMT ref: 0098DA96

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098DAB8
_free.LIBCMT ref: 0098DACD
_free.LIBCMT ref: 0098DAD8
_free.LIBCMT ref: 0098DAFA
_free.LIBCMT ref: 0098DB0D
_free.LIBCMT ref: 0098DB1B
_free.LIBCMT ref: 0098DB26
_free.LIBCMT ref: 0098DB5E
_free.LIBCMT ref: 0098DB65
_free.LIBCMT ref: 0098DB82
_free.LIBCMT ref: 0098DB9A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 55df7a2a93b356bfb12be21056b3894361fafb0bbf7a2f3eff0e20fec061d886
Instruction ID: 46494809a82e50a5c4c6c81c6b631d2e6d7aa685886a74b325194b4ecc6bfb49
Opcode Fuzzy Hash: 55df7a2a93b356bfb12be21056b3894361fafb0bbf7a2f3eff0e20fec061d886
Instruction Fuzzy Hash: FA3136326452059FEB26BB39E945B5AB7EDFF40320F264429E449D7391DF36ED808B20

Function 009B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009B369C
_wcslen.LIBCMT ref: 009B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009B3797
GetClassNameW.USER32(?,?,00000400), ref: 009B380C
GetDlgCtrlID.USER32(?), ref: 009B385D
GetWindowRect.USER32(?,?), ref: 009B3882
GetParent.USER32(?), ref: 009B38A0
ScreenToClient.USER32(00000000), ref: 009B38A7
GetClassNameW.USER32(?,?,00000100), ref: 009B3921
GetWindowTextW.USER32(?,?,00000400), ref: 009B395D

Strings

%s%u, xrefs: 009B3734

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: dde9e14a25ccae5513bb06166cd1150bc7d3dbe659f634c1021726cd149aa19a
Instruction ID: 6ad36c49f65f7733b4bcd3ee2849f3138ef6ac932370ca90875ab82671574454
Opcode Fuzzy Hash: dde9e14a25ccae5513bb06166cd1150bc7d3dbe659f634c1021726cd149aa19a
Instruction Fuzzy Hash: 7191BF71204606EFD719DF24C985BEAB7ACFF44760F00C629F999D6190EB30EA46CB91

Function 009B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 009B4994
GetWindowTextW.USER32(?,?,00000400), ref: 009B49DA
_wcslen.LIBCMT ref: 009B49EB
CharUpperBuffW.USER32(?,00000000), ref: 009B49F7
_wcsstr.LIBVCRUNTIME ref: 009B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 009B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 009B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 009B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 009B4B20
GetWindowRect.USER32(?,?), ref: 009B4B8B

Strings

ThumbnailClass, xrefs: 009B4A6F, 009B4AF1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: c53feb133727f32932f65f8e2dde5a67c56c9daf7cf28e080612f4bc0ee73978
Instruction ID: 1b46c4f153e76f5e575663dd9c19c9d81cdf4e464b8f20c5222a1f4355bbc3c8
Opcode Fuzzy Hash: c53feb133727f32932f65f8e2dde5a67c56c9daf7cf28e080612f4bc0ee73978
Instruction Fuzzy Hash: 8F91AE720082059BDB04DF14CA81BEA77ACFF84724F048469FE859A196DB30ED45DBA1

Function 009E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009E8D5A
GetFocus.USER32 ref: 009E8D6A
GetDlgCtrlID.USER32(00000000), ref: 009E8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 009E8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009E8ECF
GetMenuItemCount.USER32(?), ref: 009E8EEC
GetMenuItemID.USER32(?,00000000), ref: 009E8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009E8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009E8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009E8FA1

Strings

0, xrefs: 009E8E9F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e4ceaeeb55234c9672a1dd1dda2f4319aaed6cfb717b101e87980111332c5592
Instruction ID: a9f703c05f07470054840743f7d8965f6ce202f805030ff9e3cd8156ccdc2b6b
Opcode Fuzzy Hash: e4ceaeeb55234c9672a1dd1dda2f4319aaed6cfb717b101e87980111332c5592
Instruction Fuzzy Hash: 8181C071508381AFDB12DF66C884AAB7BE9FF88714F04091DF99897291DB30DD01DBA2

Function 009BBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00A21990,000000FF,00000000,00000030), ref: 009BBFAC
SetMenuItemInfoW.USER32(00A21990,00000004,00000000,00000030), ref: 009BBFE1
Sleep.KERNEL32(000001F4), ref: 009BBFF3
GetMenuItemCount.USER32(?), ref: 009BC039
GetMenuItemID.USER32(?,00000000), ref: 009BC056
GetMenuItemID.USER32(?,-00000001), ref: 009BC082
GetMenuItemID.USER32(?,?), ref: 009BC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009BC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009BC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009BC145

Strings

0, xrefs: 009BBF3D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 5bc1ec0f839de31d59e7ae96ae4fac62ede5a42aeec2106071c06119c66aff6d
Instruction ID: b29e76c28a3ecf61e0dbbfcd7e2774441415716b9fe6b7cfc2e3fbe150590ae8
Opcode Fuzzy Hash: 5bc1ec0f839de31d59e7ae96ae4fac62ede5a42aeec2106071c06119c66aff6d
Instruction Fuzzy Hash: D161A0F091424AAFDF11DF68CE88AFE7BB8EB45364F004015F851A7291C775AD05DB60

Function 009BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 009BDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009BDC46
_wcslen.LIBCMT ref: 009BDC50
_wcsstr.LIBVCRUNTIME ref: 009BDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009BDCBC

Strings

04090000, xrefs: 009BDCF2
%u.%u.%u.%u, xrefs: 009BDD9A
StringFileInfo\, xrefs: 009BDC8F
DefaultLangCodepage, xrefs: 009BDD1F
\VarFileInfo\Translation, xrefs: 009BDCB4

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3b153b52f5e67beaec08f569e04704eb824d59f27d86e69e5e16a88863a6079c
Instruction ID: 73496dee0a3f715f00bf33557bc5f29603fd49f4c61a2bd6dc6e037d3eeba26d
Opcode Fuzzy Hash: 3b153b52f5e67beaec08f569e04704eb824d59f27d86e69e5e16a88863a6079c
Instruction Fuzzy Hash: A7412273A412007AEB01AB649C43FFF3BACEFC1720F14446AF944E6182FB759D0296A4

Function 009DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 009DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009DCD48

Part of subcall function 009DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 009DCCAA
Part of subcall function 009DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 009DCCBD
Part of subcall function 009DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009DCCCF
Part of subcall function 009DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009DCD05
Part of subcall function 009DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 009DCCF3

Strings

RegDeleteKeyExW, xrefs: 009DCCC9
advapi32.dll, xrefs: 009DCCB8

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 7cf92af53f40c1f5739451b887b3dcfd3fdec5ab065bf0adad6286977d6d25db
Instruction ID: bbf09895b1c3d89d5ac85801be6b3af232e5629d99e2bc5c233f340fc1da95bc
Opcode Fuzzy Hash: 7cf92af53f40c1f5739451b887b3dcfd3fdec5ab065bf0adad6286977d6d25db
Instruction Fuzzy Hash: BA3180B1955129BBDB208BA0DC88EFFBB7CEF45740F004566F945E7240D7349E46EAA0

Function 009C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009C3D40
_wcslen.LIBCMT ref: 009C3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 009C3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009C3DBE
RemoveDirectoryW.KERNEL32(?), ref: 009C3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009C3E55
CloseHandle.KERNEL32(00000000), ref: 009C3E60
CloseHandle.KERNEL32(00000000), ref: 009C3E6B

Strings

\??\%s, xrefs: 009C3D5B
\, xrefs: 009C3D77
:, xrefs: 009C3D82

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 0b909c73fdceec20540084ff81f8dea72749e38985fed830a3fb64be565754c2
Instruction ID: 119e49196cd73be7f881c7d5dc3f3e6fe38f5201761f82cdda4db09edc92efcb
Opcode Fuzzy Hash: 0b909c73fdceec20540084ff81f8dea72749e38985fed830a3fb64be565754c2
Instruction Fuzzy Hash: 8C31B6B2914249ABDB20DBA0DC89FEF37BCEF88700F1081B9F619D6190E77497458B25

Function 009BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009BE6B4

Part of subcall function 0096E551: timeGetTime.WINMM(?,?,009BE6D4), ref: 0096E555

Sleep.KERNEL32(0000000A), ref: 009BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 009BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009BE727
SetActiveWindow.USER32 ref: 009BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 009BE773
Sleep.KERNEL32(000000FA), ref: 009BE77E
IsWindow.USER32 ref: 009BE78A
EndDialog.USER32(00000000), ref: 009BE79B

Strings

BUTTON, xrefs: 009BE719

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c31d7c21d200581744421b4612cbf5dd45652c0b5343b071914c4d7895ce77bf
Instruction ID: e7d7b5d89359de258b91869cf4b233f76aaf47d7ad39017b892985b6884187a8
Opcode Fuzzy Hash: c31d7c21d200581744421b4612cbf5dd45652c0b5343b071914c4d7895ce77bf
Instruction Fuzzy Hash: 5021A4B1214245BFEB20DFA4EEC9BB63B6DFB54758B101434F841952A1DF71AC039B14

Function 009BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009BEAA7

Strings

play PlayMe, xrefs: 009BEAA2
play PlayMe wait, xrefs: 009BEA91
open , xrefs: 009BEA0C
close PlayMe, xrefs: 009BEA6E, 009BEA9B
status PlayMe mode, xrefs: 009BEA58
alias PlayMe, xrefs: 009BEA36

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ee9dfa7ba0a7b78f8cd2b3e513a1c2252a9c235accea7a71ae92f19cf46b16ae
Instruction ID: 3076dbbee648d580d2b750f947304f59e5fccada280ac02e5451f5266d55aad8
Opcode Fuzzy Hash: ee9dfa7ba0a7b78f8cd2b3e513a1c2252a9c235accea7a71ae92f19cf46b16ae
Instruction Fuzzy Hash: 80112131A5125D7AD720E7A6DD4AEFF6A7CFBD1B50F4008297811E20D1EE705989C6B0

Function 009B9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009BA012
SetKeyboardState.USER32(?), ref: 009BA07D
GetAsyncKeyState.USER32(000000A0), ref: 009BA09D
GetKeyState.USER32(000000A0), ref: 009BA0B4
GetAsyncKeyState.USER32(000000A1), ref: 009BA0E3
GetKeyState.USER32(000000A1), ref: 009BA0F4
GetAsyncKeyState.USER32(00000011), ref: 009BA120
GetKeyState.USER32(00000011), ref: 009BA12E
GetAsyncKeyState.USER32(00000012), ref: 009BA157
GetKeyState.USER32(00000012), ref: 009BA165
GetAsyncKeyState.USER32(0000005B), ref: 009BA18E
GetKeyState.USER32(0000005B), ref: 009BA19C

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5a4e7f017bc3cce6f8f20895d32ac84914991c5e1bf954b4b9bcec53126ef1c0
Instruction ID: 00dd209277ba7c8a77d2bbdbe223685d2925290e58bea8beae6f80deac68dac6
Opcode Fuzzy Hash: 5a4e7f017bc3cce6f8f20895d32ac84914991c5e1bf954b4b9bcec53126ef1c0
Instruction Fuzzy Hash: 8951EB3090878829FB35EB748A557FABFF89F123A0F084599D5C25B1C2DA54AE4CC762

Function 009B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 009B5CE2
GetWindowRect.USER32(00000000,?), ref: 009B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 009B5D59
GetDlgItem.USER32(?,00000002), ref: 009B5D69
GetWindowRect.USER32(00000000,?), ref: 009B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 009B5DCF
GetDlgItem.USER32(?,000003E9), ref: 009B5DDD
GetWindowRect.USER32(00000000,?), ref: 009B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 009B5E31
GetDlgItem.USER32(?,000003EA), ref: 009B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 009B5E67

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: da628df0aa2687552f5e9fc7bf137d02e36011eaaf6af5faa4b267daf4c3d442
Instruction ID: d82b332825363e6dc14d9ab1b178dbea27b152c93325b4bd4212d547186ffe80
Opcode Fuzzy Hash: da628df0aa2687552f5e9fc7bf137d02e36011eaaf6af5faa4b267daf4c3d442
Instruction Fuzzy Hash: 24512EB0A10605AFDF18CF68CD89BAEBBB9FB48710F158229F915E6290D7709E01CB50

Function 00968BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00968F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00968BE8,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 00968FC5

DestroyWindow.USER32(?), ref: 00968C81
KillTimer.USER32(00000000,?,?,?,?,00968BBA,00000000,?), ref: 00968D1B
DestroyAcceleratorTable.USER32(00000000), ref: 009A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 009A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 009A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00968BBA,00000000), ref: 009A69D4
DeleteObject.GDI32(00000000), ref: 009A69E6

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ed1b22c1c84559e6c5cf4dc91f0a9e2cb09b9d33c16c2e7eef0c3f5bb1708c53
Instruction ID: 6d2886fd67849b16931dfabb52ac601d7872f071ecd51b77eb9c4e7586fe7484
Opcode Fuzzy Hash: ed1b22c1c84559e6c5cf4dc91f0a9e2cb09b9d33c16c2e7eef0c3f5bb1708c53
Instruction Fuzzy Hash: E0618C71502700DFCB35DF28DA98B2677F5FB95312F144A28E0829A5A0CB39ADD2DF91

Function 00969838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00969944: GetWindowLongW.USER32(?,000000EB), ref: 00969952

GetSysColor.USER32(0000000F), ref: 00969862

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 72e1b8831a1a59bd06e0b864e0869d6f46a499452503d14eacc077a3ead4305d
Instruction ID: 70d2c3145295e52a2a9c2c11b81b52720e5bfab5e4b902b7a57a507cd94e08bd
Opcode Fuzzy Hash: 72e1b8831a1a59bd06e0b864e0869d6f46a499452503d14eacc077a3ead4305d
Instruction Fuzzy Hash: E041A171508644AFDB209F789C89BBA3BADFB47370F144619F9A28B1E1D7319C42EB50

Function 009B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0099F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 009B9717
LoadStringW.USER32(00000000,?,0099F7F8,00000001), ref: 009B9720

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0099F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 009B9742
LoadStringW.USER32(00000000,?,0099F7F8,00000001), ref: 009B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 009B9866

Strings

Line %d (File "%s"):, xrefs: 009B978F
Line %d:, xrefs: 009B97A0
^ ERROR, xrefs: 009B97FB
%s (%d) : ==> %s: %s %s, xrefs: 009B984A
Error: , xrefs: 009B981D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3cd51d43e58a4bd653868b1330655ef9b9f48c48a2cee96b335e262cc905a45c
Instruction ID: eec89d7f676ce539b65ad1b1274ad5b5f24c1a7d4afaee596ce67a4d4bbeac17
Opcode Fuzzy Hash: 3cd51d43e58a4bd653868b1330655ef9b9f48c48a2cee96b335e262cc905a45c
Instruction Fuzzy Hash: D3416D72800219AADF04EBE1DE86FEE7378AF94341F504465FA05B2092EB356F49CB61

Function 009B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 009B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009B083C

Strings

SOFTWARE\Classes\, xrefs: 009B070E
\IPC$, xrefs: 009B0784
\CLSID, xrefs: 009B0724

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 86a388efcdc5341db28bf83ecd439fa9b49768995b83c92633406c62bd91d644
Instruction ID: 80352a75c40eec10f869100cb7dbd45c71631cfd0522389d493997e01e723da9
Opcode Fuzzy Hash: 86a388efcdc5341db28bf83ecd439fa9b49768995b83c92633406c62bd91d644
Instruction Fuzzy Hash: CE410672C1022DEBDF15EBA4DC959EEB778FF84351B444529E901A7161EB309E48CBA0

Function 009E3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009E403B
CreateCompatibleDC.GDI32(00000000), ref: 009E4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009E4055
SelectObject.GDI32(00000000,00000000), ref: 009E405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 009E4068
DeleteDC.GDI32(00000000), ref: 009E4072
GetWindowLongW.USER32(?,000000EC), ref: 009E407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 009E4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 009E409E

Strings

static, xrefs: 009E3FD3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 4bd9ad9744b95df75f711f8493ca4841bf96ac9efedc2861972e4b693be86d70
Instruction ID: ac4706e4eac66d022b83a27a160d3c1873aceeaa82fd9b96fcf46b57159a614a
Opcode Fuzzy Hash: 4bd9ad9744b95df75f711f8493ca4841bf96ac9efedc2861972e4b693be86d70
Instruction Fuzzy Hash: AD317A72514295BBDF229FA5CC49FEA3B69FF0D725F000220FA68A61A0C775DC11EB50

Function 009D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D3C5C
CoInitialize.OLE32(00000000), ref: 009D3C8A
CoUninitialize.OLE32 ref: 009D3C94
_wcslen.LIBCMT ref: 009D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 009D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 009D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 009D3F0E
CoGetObject.OLE32(?,00000000,009EFB98,?), ref: 009D3F2D
SetErrorMode.KERNEL32(00000000), ref: 009D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009D3FC4
VariantClear.OLEAUT32(?), ref: 009D3FD8

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3161a81d879f39099ac0d7e0f2bac1944506d6e5694cf9c8bc6dce2d43ca59d0
Instruction ID: dcf6548ed667ba5d1147ebc4d248b55f425afa58af07c216a771230163e0d308
Opcode Fuzzy Hash: 3161a81d879f39099ac0d7e0f2bac1944506d6e5694cf9c8bc6dce2d43ca59d0
Instruction Fuzzy Hash: E9C114B16083059FD700DF68C88492BB7E9FF89745F14891EF98A9B251D731EE06CB62

Function 009C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 009C7BA3
CoCreateInstance.OLE32(009EFD08,00000000,00000001,00A16E6C,?), ref: 009C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009C7C74
CoTaskMemFree.OLE32(?,?), ref: 009C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 009C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009C7D7A
CoTaskMemFree.OLE32(00000000), ref: 009C7D81
CoTaskMemFree.OLE32(00000000), ref: 009C7DD6
CoUninitialize.OLE32 ref: 009C7DDC

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 18d45f8d466414ff9227c5eff37fea33b2b6906a61a241feddabbb0b1095c8ed
Instruction ID: e7055a5ecc5d387a1eff0615fb354cf52a8fea76516bb99e13b004c773b8ad6e
Opcode Fuzzy Hash: 18d45f8d466414ff9227c5eff37fea33b2b6906a61a241feddabbb0b1095c8ed
Instruction Fuzzy Hash: 6FC10A75A04109AFDB14DFA4C884EAEBBB9FF48304B148499E85A9B261D730EE45CF91

Function 009E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E5515
CharNextW.USER32(00000158), ref: 009E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E55AC

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: da8a29cddcacd18707f6a8bb75604eb824775b1ce847e5472d49f2520d9ccdbf
Instruction ID: 64be8aa66051b20bafa1c4ff4882875f5df7fffa00e98102b14e55756ddad282
Opcode Fuzzy Hash: da8a29cddcacd18707f6a8bb75604eb824775b1ce847e5472d49f2520d9ccdbf
Instruction Fuzzy Hash: 3B61E170904689EFDF12CF96CC84AFE3B79EB09728F114005F925AB2A1D7348E81DB60

Function 009AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 009AFB08
VariantInit.OLEAUT32(?), ref: 009AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 009AFB3A
VariantCopy.OLEAUT32(?,?), ref: 009AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 009AFBA1
VariantClear.OLEAUT32(?), ref: 009AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 009AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009AFBCC
VariantClear.OLEAUT32(?), ref: 009AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009AFBE9

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a56b582851937497fbcc927c63d82471e60a7b748f57f4775e7476ee922ab559
Instruction ID: 5bdd74bd05f8f468f655ec66273a638099962e02838a9bd211e3816f114e219e
Opcode Fuzzy Hash: a56b582851937497fbcc927c63d82471e60a7b748f57f4775e7476ee922ab559
Instruction Fuzzy Hash: C2414275A04219AFCB00DFA4D8A4DADBBB9FF49344F008065F955AB261D730ED46CBA0

Function 009B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 009B9D22
GetKeyState.USER32(000000A0), ref: 009B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 009B9D57
GetKeyState.USER32(000000A1), ref: 009B9D6C
GetAsyncKeyState.USER32(00000011), ref: 009B9D84
GetKeyState.USER32(00000011), ref: 009B9D96
GetAsyncKeyState.USER32(00000012), ref: 009B9DAE
GetKeyState.USER32(00000012), ref: 009B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 009B9DD8
GetKeyState.USER32(0000005B), ref: 009B9DEA

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ed56272fc14f300a4e1d4c61fc608b1934ef4397ceb0f47458303c82c2d94005
Instruction ID: d465e2de76a05bb90310cb8576fe78c4f8f781f93e3a06353c38948aaa7d7a36
Opcode Fuzzy Hash: ed56272fc14f300a4e1d4c61fc608b1934ef4397ceb0f47458303c82c2d94005
Instruction Fuzzy Hash: 96411D305287C96DFF30876186443F5BEE86F51324F44805AE7C65A2C2DBA4ADC8C791

Function 009D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009D05BC
inet_addr.WSOCK32(?), ref: 009D061C
gethostbyname.WSOCK32(?), ref: 009D0628
IcmpCreateFile.IPHLPAPI ref: 009D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009D07B9
WSACleanup.WSOCK32 ref: 009D07BF

Strings

Ping, xrefs: 009D0676

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0b9251b564b9fc61235ce2f0ca53dc3f80684209e670f65dd5d0ed057728fcbe
Instruction ID: 31cefd3351f91da1320320d0f75df291bc590a594beccc4afb627c4535a852bd
Opcode Fuzzy Hash: 0b9251b564b9fc61235ce2f0ca53dc3f80684209e670f65dd5d0ed057728fcbe
Instruction Fuzzy Hash: C4917C756482419FD320CF15D889B1ABBE4AF84318F14C5AAF8A98F7A2C730ED45CF91

Function 009D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 009D8CF3

Part of subcall function 009B8E54: _wcslen.LIBCMT ref: 009B8E77

_wcslen.LIBCMT ref: 009D8D4E
_wcslen.LIBCMT ref: 009D8D9C
_wcslen.LIBCMT ref: 009D8DDC
_wcslen.LIBCMT ref: 009D8E6E

Strings

stdcall, xrefs: 009D8DD6, 009D8DDB
cdecl, xrefs: 009D8D48, 009D8D4D
winapi, xrefs: 009D8D96, 009D8D9B
none, xrefs: 009D8E65, 009D8E6A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5ee006f4e4bdc839d6e132ed96472eea97f4da425d02245d4fc61c287b2ed41e
Instruction ID: 511fead7c20a2d319eacc5fd9380a7bc0ad3a8a8af90f6a3472844d8e7cd84f0
Opcode Fuzzy Hash: 5ee006f4e4bdc839d6e132ed96472eea97f4da425d02245d4fc61c287b2ed41e
Instruction Fuzzy Hash: 7551B831A401169BCF14EF68C9405BF77BABF64750720861AE926E73C6DB34DD40CBA0

Function 009D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 009D3774
CoUninitialize.OLE32 ref: 009D377F
CoCreateInstance.OLE32(?,00000000,00000017,009EFB78,?), ref: 009D37D9
IIDFromString.OLE32(?,?), ref: 009D384C
VariantInit.OLEAUT32(?), ref: 009D38E4
VariantClear.OLEAUT32(?), ref: 009D3936

Strings

NULL Pointer assignment, xrefs: 009D381E
Failed to create object, xrefs: 009D37E4, 009D389A
Invalid parameter, xrefs: 009D3865

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 34118a57f074ec5aaa05c59f07e5fbe937e1125d888d25769474aa648f4cfe9c
Instruction ID: 30f90b376d1e875ad6eaa150c2871000e16e79d711eff9ab1b5d5a60c3e227d2
Opcode Fuzzy Hash: 34118a57f074ec5aaa05c59f07e5fbe937e1125d888d25769474aa648f4cfe9c
Instruction Fuzzy Hash: FC61AFB0648701AFD310DF54C888F5AB7E8AF88712F00880AF9859B391D770EE49DB93

Function 009C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009C33CF

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009C33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 009C3504
Line %d (File "%s"):, xrefs: 009C3443, 009C345C
^ ERROR , xrefs: 009C349E
"%s" (%d) : ==> %s:, xrefs: 009C3522
Error: , xrefs: 009C34D1
Incorrect parameters to object property !, xrefs: 009C34AB

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 449e0bdb5c2f1a19374f469a066a59b2c377992217d9d166fb80aa42a364c1fd
Instruction ID: e6a0a8b48234574de293bb05d50c1bbc76ccf27f40a63598df19fe0ec9deb998
Opcode Fuzzy Hash: 449e0bdb5c2f1a19374f469a066a59b2c377992217d9d166fb80aa42a364c1fd
Instruction Fuzzy Hash: C8518C72D00209BADF15EBA1CD42FEEB379AF54341F508465B90972062EB312F59DB61

Function 009BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009BB5FC
_wcslen.LIBCMT ref: 009BB608
_wcslen.LIBCMT ref: 009BB64D
_wcslen.LIBCMT ref: 009BB68C
_wcslen.LIBCMT ref: 009BB6C7

Strings

KEYS, xrefs: 009BB647, 009BB64C
APPEND, xrefs: 009BB6C1, 009BB6C6
REMOVE, xrefs: 009BB602, 009BB607
EXISTS, xrefs: 009BB686, 009BB68B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 94e2a11fdc4ca1915811470a698481f5b3bef1bf19de5a83bffcb2bd2dd25bee
Instruction ID: b69c18ec6f89461e81d1496c4469caed31ee3a5a321511f0adfb3d90a2647eb1
Opcode Fuzzy Hash: 94e2a11fdc4ca1915811470a698481f5b3bef1bf19de5a83bffcb2bd2dd25bee
Instruction Fuzzy Hash: 6E41D632A00026DBCB209F7DCE905FE77A9AFA0BB4B244529E565DB2C4E775CD81C790

Function 009C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009C5416
GetLastError.KERNEL32 ref: 009C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 009C54A7

Strings

UNKNOWN, xrefs: 009C5444
READONLY, xrefs: 009C5452
INVALID, xrefs: 009C5459
NOTREADY, xrefs: 009C544B
READY, xrefs: 009C5460, 009C5468

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e4688b2c3baddd7e89f5a14125598b2a2a447e26d8d1313dee2686731a99b1a7
Instruction ID: d55ed2eba99ba5c624eef8b1ee53dc416fecd32f2a91559a6039fcb9e52c9644
Opcode Fuzzy Hash: e4688b2c3baddd7e89f5a14125598b2a2a447e26d8d1313dee2686731a99b1a7
Instruction Fuzzy Hash: 07319C75E006049FD714DF68C884FAABBB8EB45305F158069E805CF2A2DB34EDC6CB92

Function 009E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 009E3C79
SetMenu.USER32(?,00000000), ref: 009E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E3D10
IsMenu.USER32(?), ref: 009E3D24
CreatePopupMenu.USER32 ref: 009E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E3D5B
DrawMenuBar.USER32 ref: 009E3D63

Strings

0, xrefs: 009E3C54
F, xrefs: 009E3D4E

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d6ab2ed9a3e4aaf70948b366915bf3ee0c8bb5a7f7bd25fdcba5bbcacc5f8e18
Instruction ID: 7318a986a2b53aa2768751030f112cf7088683accc032fc925f9f6eeb3d779fb
Opcode Fuzzy Hash: d6ab2ed9a3e4aaf70948b366915bf3ee0c8bb5a7f7bd25fdcba5bbcacc5f8e18
Instruction Fuzzy Hash: 1A418D75A05249EFDB14CF65D888AAA77B9FF49300F144028F9469B3A0D730AE51DF90

Function 009B1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 009B1F64
GetDlgCtrlID.USER32 ref: 009B1F6F
GetParent.USER32 ref: 009B1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B1F8E
GetDlgCtrlID.USER32(?), ref: 009B1F97
GetParent.USER32(?), ref: 009B1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B1FAE

Strings

ComboBox, xrefs: 009B1EEC
ListBox, xrefs: 009B1F21

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8808ef6c58260232367d1ca8137b33e486a7cb43642a4ce7118cae3809b2875d
Instruction ID: 46280b3594095c71e00964419037747c030e1b48c093c76e96490d36a234653d
Opcode Fuzzy Hash: 8808ef6c58260232367d1ca8137b33e486a7cb43642a4ce7118cae3809b2875d
Instruction Fuzzy Hash: 9421D074904214BBDF00EFA0CC95AFEBBB8EF45310B504505F9A167291DB345909DB60

Function 009B1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 009B2043
GetDlgCtrlID.USER32 ref: 009B204E
GetParent.USER32 ref: 009B206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B206D
GetDlgCtrlID.USER32(?), ref: 009B2076
GetParent.USER32(?), ref: 009B208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B208D

Strings

ComboBox, xrefs: 009B1FCD
ListBox, xrefs: 009B2002

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8348670fb5bd027632ed20268c58a2b3c219f09785732559c8a8fcba6972d0ec
Instruction ID: b656985d06d4890639ed9f8dfd1d3f7a09d61da563a319403b6eb34a462569cd
Opcode Fuzzy Hash: 8348670fb5bd027632ed20268c58a2b3c219f09785732559c8a8fcba6972d0ec
Instruction Fuzzy Hash: 9921D1B5D00218BBDF10EFA4CD85EEEBBB8EF09310F104405F995A71A1DA794919DB60

Function 009E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 009E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 009E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 009E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 009E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 009E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 009E3C13

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5469c192ae416a943a3b4ae75ec597eac22718147ae387340045adf1b1d7f7c6
Instruction ID: 590dfb39be90d24b62de58daea54e178f3f0437ea28f93f88c18c5700457a72e
Opcode Fuzzy Hash: 5469c192ae416a943a3b4ae75ec597eac22718147ae387340045adf1b1d7f7c6
Instruction Fuzzy Hash: 82618E75900248AFDB11DFA8CC85EFE77F8EB49700F1441A9FA15A7291C774AE42DB50

Function 009BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB165
GetWindowThreadProcessId.USER32(00000000), ref: 009BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 009BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB21D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: fb85395a584155712f40013623458d53ec02c3ef8df8689962b851a94031cec8
Instruction ID: 8cdf187d8ac4e92288a8d76a097f7bfe6cd85c72d74023abe24d126f1327d8a6
Opcode Fuzzy Hash: fb85395a584155712f40013623458d53ec02c3ef8df8689962b851a94031cec8
Instruction Fuzzy Hash: 28314FB6618204BFDF20DF68DD84BBE7BADAB62721F104015F915DA190D7B89D428F60

Function 00982C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00982C94

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 00982CA0
_free.LIBCMT ref: 00982CAB
_free.LIBCMT ref: 00982CB6
_free.LIBCMT ref: 00982CC1
_free.LIBCMT ref: 00982CCC
_free.LIBCMT ref: 00982CD7
_free.LIBCMT ref: 00982CE2
_free.LIBCMT ref: 00982CED
_free.LIBCMT ref: 00982CFB

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a159ddd298f86b4ab97f66d852078f1d02a18e61867ca698591c6b42b27f4946
Instruction ID: 17bdaa9b5fb1811522f7bd68468e51d65d15816c37d86ab06334b832dfbd9324
Opcode Fuzzy Hash: a159ddd298f86b4ab97f66d852078f1d02a18e61867ca698591c6b42b27f4946
Instruction Fuzzy Hash: 97117476500108AFCB02FF54DA82EDD3BA9FF45350F5245A5FA489F322DA36EE509B90

Function 009C7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009C7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 009C7FC1
GetFileAttributesW.KERNEL32(?), ref: 009C7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 009C8005
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8017
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009C80B0

Strings

*.*, xrefs: 009C8066

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: ce82f0032d27a74a873d353c001943ff5cd82d81bb280b81e1341aeccef2f05e
Instruction ID: 9ea12afc62c2007ba3fb66982d5c0e749d63389f05ab1d985151ce40af6e02d6
Opcode Fuzzy Hash: ce82f0032d27a74a873d353c001943ff5cd82d81bb280b81e1341aeccef2f05e
Instruction Fuzzy Hash: 37817E729082419BCB20DF95C894FAAF3E8BB89350F144C5EF885D7261EB34DD498B53

Function 00955BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00955C7A

Part of subcall function 00955D0A: GetClientRect.USER32(?,?), ref: 00955D30
Part of subcall function 00955D0A: GetWindowRect.USER32(?,?), ref: 00955D71
Part of subcall function 00955D0A: ScreenToClient.USER32(?,?), ref: 00955D99

GetDC.USER32 ref: 009946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00994708
SelectObject.GDI32(00000000,00000000), ref: 00994716
SelectObject.GDI32(00000000,00000000), ref: 0099472B
ReleaseDC.USER32(?,00000000), ref: 00994733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009947C4

Strings

U, xrefs: 00994693

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 05fc6de226fbbf6bff1a411f72640b5bee391f0022b3b1f04f8b786af781eb62
Instruction ID: 81373a3730a56b50202311a59cef5049093931c9350c74ee9d35ba6a054bc7c2
Opcode Fuzzy Hash: 05fc6de226fbbf6bff1a411f72640b5bee391f0022b3b1f04f8b786af781eb62
Instruction Fuzzy Hash: A971E471400209DFCF22CFA8C984EBA3BB9FF4A365F144269ED955A166C3319C42DF50

Function 009C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009C35E4

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

LoadStringW.USER32(00A22390,?,00000FFF,?), ref: 009C360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 009C3724
Line %d (File "%s"):, xrefs: 009C366B
^ ERROR, xrefs: 009C36C9
"%s" (%d) : ==> %s:, xrefs: 009C3742
Error: , xrefs: 009C36EF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 108f00ddeb379e797baa6e509a719c686153c2483b038f46aba11454ed4ada92
Instruction ID: 601f2e316e912343a729247d2f4b26542f8ca1a7403bc91908f4ec4f352f1863
Opcode Fuzzy Hash: 108f00ddeb379e797baa6e509a719c686153c2483b038f46aba11454ed4ada92
Instruction Fuzzy Hash: 77518E72C00209BADF14EBA1CD42FEEBB79EF54341F548129F505720A2EB311B99DB61

Function 009E8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

Part of subcall function 0096912D: GetCursorPos.USER32(?), ref: 00969141
Part of subcall function 0096912D: ScreenToClient.USER32(00000000,?), ref: 0096915E
Part of subcall function 0096912D: GetAsyncKeyState.USER32(00000001), ref: 00969183
Part of subcall function 0096912D: GetAsyncKeyState.USER32(00000002), ref: 0096919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 009E8B6B
ImageList_EndDrag.COMCTL32 ref: 009E8B71
ReleaseCapture.USER32 ref: 009E8B77
SetWindowTextW.USER32(?,00000000), ref: 009E8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009E8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 009E8CFF

Strings

@GUI_DROPID, xrefs: 009E8C51
@GUI_DRAGFILE, xrefs: 009E8C9A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 55a26950f626fb859d5fc0542983d91bfcc78e347c64b36dfcf12e32255c87d0
Instruction ID: 3719837af55913af5afd63765a4431d7b9b18680374a837862dec48c90e1bda9
Opcode Fuzzy Hash: 55a26950f626fb859d5fc0542983d91bfcc78e347c64b36dfcf12e32255c87d0
Instruction Fuzzy Hash: 4951BB70108340AFD700DF65DC96BAA77E8FB88715F500A2DF996A72E1CB709D49CB62

Function 009CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009CC2CA
GetLastError.KERNEL32 ref: 009CC322
SetEvent.KERNEL32(?), ref: 009CC336
InternetCloseHandle.WININET(00000000), ref: 009CC341

Strings

, xrefs: 009CC2BB

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2986d13692d900a750dbdba86dd5c1029a59e52d7c3d9b00cb7d7eaff3edd32b
Instruction ID: e53240aef724fdc82c02f29e37a8c4735accde5ef28fa86eee66f8b584af68b9
Opcode Fuzzy Hash: 2986d13692d900a750dbdba86dd5c1029a59e52d7c3d9b00cb7d7eaff3edd32b
Instruction Fuzzy Hash: B0319CF1A04248AFD7219FA49C88FAB7FFCEB49740B14851EF48AD6201DB34DD459B62

Function 009B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00993AAF,?,?,Bad directive syntax error,009ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009B98BC
LoadStringW.USER32(00000000,?,00993AAF,?), ref: 009B98C3

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009B9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 009B98F1
Line %d (File "%s"):, xrefs: 009B992D
Line %d:, xrefs: 009B9912
., xrefs: 009B996D
Error: , xrefs: 009B9955

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 403e02df9b55e0d5d5c445fd74d0919fb005092cbddebb91c397549e5f7ab132
Instruction ID: 481e63b64df5c7bd0b1d986fc9df0dc571306a06f11fcdc6d7ec0ea4cadb2888
Opcode Fuzzy Hash: 403e02df9b55e0d5d5c445fd74d0919fb005092cbddebb91c397549e5f7ab132
Instruction Fuzzy Hash: 1B215C3191021AEBDF15EFA0CC06FEE7739BF58701F044865BA19660A2EA719A58DB10

Function 009B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009B214D

Strings

list, xrefs: 009B212F
largeicons, xrefs: 009B20E1
SHELLDLL_DefView, xrefs: 009B20CC
smallicons, xrefs: 009B2115
details, xrefs: 009B20FB

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 3abd35c1f4d235f6f413fd4930898f9a30369051435f966007a6bfb06de2a7ef
Instruction ID: 91bac71e2b2bb9d4863736ecab7b5ea7566439c391bc4309268447ec31909cf3
Opcode Fuzzy Hash: 3abd35c1f4d235f6f413fd4930898f9a30369051435f966007a6bfb06de2a7ef
Instruction Fuzzy Hash: 251106B7A8C707B9F6052334DD06DE7379CDB45734B20441AFB08E50D2FA696C425A14

Function 00988D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d1514f275db82b3378ca39fb2376403692b8f672e3dfc1fdf66d75ddb1d862
Instruction ID: b8d5c1897c46c6a9e0810b02e27c0c0d8cfe73cec4e3fee038c9c2186a99d8ae
Opcode Fuzzy Hash: 24d1514f275db82b3378ca39fb2376403692b8f672e3dfc1fdf66d75ddb1d862
Instruction Fuzzy Hash: 31C1D275A04249AFCB21FFECC841BBEBBB4AF49310F184159E954AB393C7349942CB61

Function 0098CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0098CEB7
_free.LIBCMT ref: 0098CF22
_free.LIBCMT ref: 0098CF48
_free.LIBCMT ref: 0098CF71
_free.LIBCMT ref: 0098CFA9
_free.LIBCMT ref: 0098CFDA
_free.LIBCMT ref: 0098D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0098D09C
_free.LIBCMT ref: 0098D0B5

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 9c5c8cb8f3ef2c69dcefb22075b3da72259f4214e1f10b3fd8f97fbe78c5996b
Instruction ID: 262a41dfe52b9e4d95e0b2f359b9e27524e239bd939010b93d5370dee0b0a590
Opcode Fuzzy Hash: 9c5c8cb8f3ef2c69dcefb22075b3da72259f4214e1f10b3fd8f97fbe78c5996b
Instruction Fuzzy Hash: C96129B1905301AFEF35BFB89881B7E7BA9EF45310F14416EFA45A7382D6369D028760

Function 00968B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 009A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00968874,00000000,00000000,00000000,000000FF,00000000), ref: 009A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00968874,00000000,00000000,00000000,000000FF,00000000), ref: 009A692D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2cec8a9f31dd0bd97278bd89dd51d774c31c8d222e422181557b33f6c55ef4ce
Instruction ID: de3d9b70c828c8587c56e5a76287c21ef99953cf9a02300f263ea78202e5d591
Opcode Fuzzy Hash: 2cec8a9f31dd0bd97278bd89dd51d774c31c8d222e422181557b33f6c55ef4ce
Instruction Fuzzy Hash: 8F518DB0600209EFDB20CF28CC95FAA7BB9FB94750F144618F952972A0DB74ED91DB50

Function 009CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009CC182
GetLastError.KERNEL32 ref: 009CC195
SetEvent.KERNEL32(?), ref: 009CC1A9

Part of subcall function 009CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009CC272
Part of subcall function 009CC253: GetLastError.KERNEL32 ref: 009CC322
Part of subcall function 009CC253: SetEvent.KERNEL32(?), ref: 009CC336
Part of subcall function 009CC253: InternetCloseHandle.WININET(00000000), ref: 009CC341

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 789def14d95b9151189841df7f6142be699f7b9d7b0d4e2f23aa0ebf1884aa2d
Instruction ID: 4ccee4c84bd820613f4c821c4aaf7621faffb5caab8718bf60644989f2536785
Opcode Fuzzy Hash: 789def14d95b9151189841df7f6142be699f7b9d7b0d4e2f23aa0ebf1884aa2d
Instruction Fuzzy Hash: 0E319AB1A04641AFDB219FA5DC44F66BFEDFF58310B04441DF9AA86611C731E811ABA2

Function 009B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B3A57
Part of subcall function 009B3A3D: GetCurrentThreadId.KERNEL32 ref: 009B3A5E
Part of subcall function 009B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009B25B3), ref: 009B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 009B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 009B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 009B2627

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f1877cec4c4d15c691540e8a81b19ca4b599258d09e2ad2065f4efdfaf25f92c
Instruction ID: 75d0a8c1659d77f3e3d750b7a7e7ba4d22e596fd41f2aec8ffe02a54e23d1830
Opcode Fuzzy Hash: f1877cec4c4d15c691540e8a81b19ca4b599258d09e2ad2065f4efdfaf25f92c
Instruction Fuzzy Hash: F501D870398350BBFB1067699CCAF993F59DB8EB22F100011F354AE0D1C9E118459A69

Function 009B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,009B1449,?,?,00000000), ref: 009B180C
HeapAlloc.KERNEL32(00000000,?,009B1449,?,?,00000000), ref: 009B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009B1449,?,?,00000000), ref: 009B1828
GetCurrentProcess.KERNEL32(?,00000000,?,009B1449,?,?,00000000), ref: 009B1830
DuplicateHandle.KERNEL32(00000000,?,009B1449,?,?,00000000), ref: 009B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009B1449,?,?,00000000), ref: 009B1843
GetCurrentProcess.KERNEL32(009B1449,00000000,?,009B1449,?,?,00000000), ref: 009B184B
DuplicateHandle.KERNEL32(00000000,?,009B1449,?,?,00000000), ref: 009B184E
CreateThread.KERNEL32(00000000,00000000,009B1874,00000000,00000000,00000000), ref: 009B1868

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 35b3d6f619d1523faabe0f7b0788bafff59dabcd3965ea6766b6be655fbd75c6
Instruction ID: c91e2a9b3488a70d4f31efbf197a6ed4e4e89416b19bbeb317fe519bc7e965ea
Opcode Fuzzy Hash: 35b3d6f619d1523faabe0f7b0788bafff59dabcd3965ea6766b6be655fbd75c6
Instruction Fuzzy Hash: 7C01A8B5254348BFE610ABA5DC89F6B3BACEB89B11F404411FA45DB1A1CA709C019B20

Function 009DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 009BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 009BD501
Part of subcall function 009BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 009BD50F
Part of subcall function 009BD4DC: CloseHandle.KERNELBASE(00000000), ref: 009BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DA16D
GetLastError.KERNEL32 ref: 009DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 009DA268
GetLastError.KERNEL32(00000000), ref: 009DA273
CloseHandle.KERNEL32(00000000), ref: 009DA2C4

Strings

SeDebugPrivilege, xrefs: 009DA18F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f3347166e892cb75e6e5abab653ede14ba8510be5866fc5f176ad00ca7302830
Instruction ID: d9cfed9d9ee67d9a4bdedb37236aa06e7624b24a7465d1a4d74d773862a2c897
Opcode Fuzzy Hash: f3347166e892cb75e6e5abab653ede14ba8510be5866fc5f176ad00ca7302830
Instruction Fuzzy Hash: B061AE702482429FD710DF19C894F1ABBE5AF84318F14C48DE9664B7A3C776ED49CB92

Function 009E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 009E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009E3954
_wcslen.LIBCMT ref: 009E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009E39F4

Strings

SysListView32, xrefs: 009E38F7

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d9b2e5167ba37b6500b496adcb5c059918208761693450d2ae1fa98aa9cd4288
Instruction ID: 9d8522d67651bf8c3c05ed0d642380d6af5f5854b62413d78ed021eed13cba60
Opcode Fuzzy Hash: d9b2e5167ba37b6500b496adcb5c059918208761693450d2ae1fa98aa9cd4288
Instruction Fuzzy Hash: AB41C371A00259ABEF229F65CC49FEA7BA9FF48350F104526F948E7281D7719E80CB90

Function 009BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009BBCFD
IsMenu.USER32(00000000), ref: 009BBD1D
CreatePopupMenu.USER32 ref: 009BBD53
GetMenuItemCount.USER32(013D6770), ref: 009BBDA4
InsertMenuItemW.USER32(013D6770,?,00000001,00000030), ref: 009BBDCC

Strings

2, xrefs: 009BBD37
0, xrefs: 009BBCA8

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 313642c4245e9d4564665079bd744c971cf97388bd4bceeef375ffdd0674e868
Instruction ID: e590e4abef7365812b7effef1a85bd7e5bc7aa4b9045dfcb4ce5dc70e2492e8f
Opcode Fuzzy Hash: 313642c4245e9d4564665079bd744c971cf97388bd4bceeef375ffdd0674e868
Instruction Fuzzy Hash: 0D51AFB0A04205DBDF20CFA8DAC4BEEBBF8AFC5324F144619E5519B2D0D7B89941CB61

Function 009BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009BC913

Strings

stop, xrefs: 009BC8E4
blank, xrefs: 009BC895
info, xrefs: 009BC8B4
warning, xrefs: 009BC8FC
question, xrefs: 009BC8CC

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3cc5140ae1a8291aa8553b93ecd2f57268a1fbf74fdd85aa1aaf174a18f345c0
Instruction ID: f71798ca017de03ac7621d45d280970f820812b7033feaa6c8cca115e7d84b79
Opcode Fuzzy Hash: 3cc5140ae1a8291aa8553b93ecd2f57268a1fbf74fdd85aa1aaf174a18f345c0
Instruction Fuzzy Hash: 331136B2789307BAF7049B149E83DEA379CDF55375B20442AF504E62C2E7B4AE405268

Function 009BDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009BDE42
gethostname.WSOCK32(?,00000100), ref: 009BDE5C
gethostbyname.WSOCK32(?), ref: 009BDE69
inet_ntoa.WSOCK32(?), ref: 009BDEAB
_strcat.LIBCMT ref: 009BDEB9
WSACleanup.WSOCK32 ref: 009BDEDE

Strings

0.0.0.0, xrefs: 009BDE87

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 74414d5a47e7d63f36c3301a412a6859191be2cac58da5ea754099303826e968
Instruction ID: e8e0cbd24c2729bdf226278be81fd50408e40d0fe438382f7ed7084b5406d247
Opcode Fuzzy Hash: 74414d5a47e7d63f36c3301a412a6859191be2cac58da5ea754099303826e968
Instruction Fuzzy Hash: 68110672904214ABDB20AB20DD4AFEE77ACEF91720F0001A9F549AA091FF75CE819A50

Function 009E9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

GetSystemMetrics.USER32(0000000F), ref: 009E9FC7
GetSystemMetrics.USER32(0000000F), ref: 009E9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 009EA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009EA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009EA263
ShowWindow.USER32(00000003,00000000), ref: 009EA282
InvalidateRect.USER32(?,00000000,00000001), ref: 009EA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 009EA2CA

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: c276242fc349b8c8085c38c36ab83cf999570c5a870808b3f45b6714c99ae7f7
Instruction ID: e0be7e27f76019397944d39ec99ffb87a872177ac79e7927d0e8a37d7249ad61
Opcode Fuzzy Hash: c276242fc349b8c8085c38c36ab83cf999570c5a870808b3f45b6714c99ae7f7
Instruction Fuzzy Hash: 73B1C730600255EFCF15CF6AC9C47AA7BB6BF48711F088069ED99AB2A5DB31AD40CB51

Function 009BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009BED2A
_wcslen.LIBCMT ref: 009BED3B
_wcslen.LIBCMT ref: 009BED79
_wcslen.LIBCMT ref: 009BEDAF
_wcslen.LIBCMT ref: 009BEDDF
_wcslen.LIBCMT ref: 009BEDEF
_wcslen.LIBCMT ref: 009BEE2B
_wcslen.LIBCMT ref: 009BEE5A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d8934dde24263c020790e6e800f6c0f7c3230376936c5e6aea9b765bfc664ab6
Instruction ID: efe7d97adb1630ab58d7e29805d417c8f04a4b23fe679717fae293e416551771
Opcode Fuzzy Hash: d8934dde24263c020790e6e800f6c0f7c3230376936c5e6aea9b765bfc664ab6
Instruction Fuzzy Hash: 2B419666D10118B6CB11EBF4888AACF77BCAF85710F50C566F528E3122FB34E255C7A6

Function 0096F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 0096F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 009AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 009AF454

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 18ef2c9955a9d9b19047f369774cbe1fa5de96f49b593db382e504bc2a7215dc
Instruction ID: 875c879ca13288ca7c963155479500b2cad6e96aa14a6cdac028da6bed5e1856
Opcode Fuzzy Hash: 18ef2c9955a9d9b19047f369774cbe1fa5de96f49b593db382e504bc2a7215dc
Instruction Fuzzy Hash: C1414D70208780BADB398B7DE9FC73A7BE9AB5B354F14483CE09756660C636A881D750

Function 009E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009E2D1B
GetDC.USER32(00000000), ref: 009E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 009E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 009E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009E2DE1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8779f950778006ef923b248166412f666089b291186a781fdc4b6915177df7ff
Instruction ID: da1967fe54448af3b937e52043ba58935ac5c97cc46bd8b898718e2c90ad34ca
Opcode Fuzzy Hash: 8779f950778006ef923b248166412f666089b291186a781fdc4b6915177df7ff
Instruction Fuzzy Hash: E03189B2215294BBEB218F558C8AFEB3BADEB49721F044055FE489E291C6759C41CBA0

Function 009B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 009B5637
_memcmp.LIBVCRUNTIME ref: 009B5659
_memcmp.LIBVCRUNTIME ref: 009B5671
_memcmp.LIBVCRUNTIME ref: 009B5684
_memcmp.LIBVCRUNTIME ref: 009B569E
_memcmp.LIBVCRUNTIME ref: 009B56B1
_memcmp.LIBVCRUNTIME ref: 009B56C9
_memcmp.LIBVCRUNTIME ref: 009B56E4

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 83e8189dec1072d2faab75f31eaee7ecb2510675e22e611cae2f25342594d924
Instruction ID: b1c04f45ce96ff50effb772eee53031683921d21274b7d7ab66ebcfc02a3a5a3
Opcode Fuzzy Hash: 83e8189dec1072d2faab75f31eaee7ecb2510675e22e611cae2f25342594d924
Instruction Fuzzy Hash: D5212E72740A09F7E61555258F92FFB335CAFA03ACF654035FD089A581FB24EE1182E5

Function 009D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 009D502E, 009D5383
Not an Object type, xrefs: 009D5007

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 652764d757435c19ca51945d50680485da1dc6aa95aba3ff1391823e2cfdd7c1
Instruction ID: 3e4c2d4d990331c00e0bf309b5cbad3e19c08cfc0fd582ce461225b38b4b6132
Opcode Fuzzy Hash: 652764d757435c19ca51945d50680485da1dc6aa95aba3ff1391823e2cfdd7c1
Instruction Fuzzy Hash: FED1A271A4060A9FDF10CF98C881BAEB7B9BF48344F15C46AE915AB381E770DD45CB90

Function 00991522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00991651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009917FB,?,009917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009916FB

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00991777
__freea.LIBCMT ref: 009917A2
__freea.LIBCMT ref: 009917AE

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d0aa6e95ad7746bafd69841ee599aa03141521202356934aa625eb26ce640451
Instruction ID: 5ecc1c136a6fd0c0afe37c5738ac7130d1eeb0fb10c7a3db5e5ccee0c8df8c91
Opcode Fuzzy Hash: d0aa6e95ad7746bafd69841ee599aa03141521202356934aa625eb26ce640451
Instruction Fuzzy Hash: B891B372E002179ADF219EB8C881AEE7BB9BF89710F194659F905E7281D735DC40CB61

Function 009D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D4648
VariantInit.OLEAUT32(?), ref: 009D4749
VariantClear.OLEAUT32(?), ref: 009D4753
VariantClear.OLEAUT32(?), ref: 009D47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 009D472C
Null Object assignment in FOR..IN loop, xrefs: 009D45D8, 009D4706, 009D47BE

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 390c7a0c2b584f944c4dbffa22906a1767ea7b757f74fadcabe02e584f0ebc1b
Instruction ID: 5290cc2c41de36bd3f2af945969c35294489d4d21e4d448c361770d5438b70b0
Opcode Fuzzy Hash: 390c7a0c2b584f944c4dbffa22906a1767ea7b757f74fadcabe02e584f0ebc1b
Instruction Fuzzy Hash: 19919071A40219ABDF20CFA5DC84FAEBBB8EF86714F10855AF515AB280D7709941CFA0

Function 009C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 009C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 009C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C1430

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: c1d8c7ca263037a7c419c0043cea237e091d060559933bce25973f3ab260f91f
Instruction ID: 67927f61c617f5a319ec53db6b2cd129b7a6e3eb33fe3280538fc2f75da6985c
Opcode Fuzzy Hash: c1d8c7ca263037a7c419c0043cea237e091d060559933bce25973f3ab260f91f
Instruction Fuzzy Hash: B791E175E002099FEB04DF94C884FBE77B9FF86315F104029E950EB2A2D774A941CB96

Function 0096948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e4de8337751b7c4de9909f41f9b093a8f3f393cd28a987bbbc610ebbdb3bdbb4
Instruction ID: 684155e34d2b9cde473d98de0c8f58fb38ad6cf3abc8fa90887dd7ad168533cb
Opcode Fuzzy Hash: e4de8337751b7c4de9909f41f9b093a8f3f393cd28a987bbbc610ebbdb3bdbb4
Instruction Fuzzy Hash: 56912771D04219EFCB10CFA9CC85AEEBBB8FF49320F144559E916B7251D778A942CBA0

Function 009D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D396B
CharUpperBuffW.USER32(?,?), ref: 009D3A7A
_wcslen.LIBCMT ref: 009D3A8A
VariantClear.OLEAUT32(?), ref: 009D3C1F

Part of subcall function 009C0CDF: VariantInit.OLEAUT32(00000000), ref: 009C0D1F
Part of subcall function 009C0CDF: VariantCopy.OLEAUT32(?,?), ref: 009C0D28
Part of subcall function 009C0CDF: VariantClear.OLEAUT32(?), ref: 009C0D34

Strings

AUTOIT.ERROR, xrefs: 009D3A80, 009D3A85
Incorrect Parameter format, xrefs: 009D39A6, 009D3BA1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 84a015d8dcec0bc3f1dc320a5ff8226648df6e7bb39f3d4f5e7ec353368c0c74
Instruction ID: ffe7e9f1348bcc88e552c8c291da9934f4aa3d0ad49a466f8d829421b5d02716
Opcode Fuzzy Hash: 84a015d8dcec0bc3f1dc320a5ff8226648df6e7bb39f3d4f5e7ec353368c0c74
Instruction Fuzzy Hash: 7C9157756083019FC700DF64C490A6AB7E8FF89315F14892EF8899B351DB34EE49CB92

Function 009D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 009B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?,?,009B035E), ref: 009B002B
Part of subcall function 009B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0046
Part of subcall function 009B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0054
Part of subcall function 009B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?), ref: 009B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 009D4C51
_wcslen.LIBCMT ref: 009D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 009D4DCF
CoTaskMemFree.OLE32(?), ref: 009D4DDA

Strings

NULL Pointer assignment, xrefs: 009D4E23, 009D4E52

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 703c2db57571b5a33584b7dd0fd8853cd0542bab92ba30ce1383a94f7d5f5752
Instruction ID: e63c7125bbdc76171ecde8d8df0838ff0d0566a8d750354b703f7b655d5c9d26
Opcode Fuzzy Hash: 703c2db57571b5a33584b7dd0fd8853cd0542bab92ba30ce1383a94f7d5f5752
Instruction Fuzzy Hash: 16911871D0021DEFDF10DFA5C891AEEB7B9BF48310F10856AE919AB251DB349A45CFA0

Function 009E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009E2183
GetMenuItemCount.USER32(00000000), ref: 009E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009E21DD
_wcslen.LIBCMT ref: 009E2213
GetMenuItemID.USER32(?,?), ref: 009E224D
GetSubMenu.USER32(?,?), ref: 009E225B

Part of subcall function 009B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B3A57
Part of subcall function 009B3A3D: GetCurrentThreadId.KERNEL32 ref: 009B3A5E
Part of subcall function 009B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009B25B3), ref: 009B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009E22E3

Part of subcall function 009BE97B: Sleep.KERNEL32 ref: 009BE9F3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 64f0fa7c874e4a85005e937fab09da7a8c7590edb7cde90ea3ff227d119094c4
Instruction ID: 378574ff55c436333ec8c4b29be14b85515ac44e352e973cc10b4ae234fb0715
Opcode Fuzzy Hash: 64f0fa7c874e4a85005e937fab09da7a8c7590edb7cde90ea3ff227d119094c4
Instruction Fuzzy Hash: D571B075A04245AFCB15DF65C881AAEB7F9FF88310F108458E966EB341DB34EE01CB90

Function 009E7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013D66F8), ref: 009E7F37
IsWindowEnabled.USER32(013D66F8), ref: 009E7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 009E801E
SendMessageW.USER32(013D66F8,000000B0,?,?), ref: 009E8051
IsDlgButtonChecked.USER32(?,?), ref: 009E8089
GetWindowLongW.USER32(013D66F8,000000EC), ref: 009E80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009E80C3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3396f80ca6bb90a26faa3a2aaa2a47e4e8274867204f3771ee3fa113f0af39df
Instruction ID: 5be7bc9354f90f134ced7140ed8fe922bc18673f62422bfea6d899585c5b9382
Opcode Fuzzy Hash: 3396f80ca6bb90a26faa3a2aaa2a47e4e8274867204f3771ee3fa113f0af39df
Instruction Fuzzy Hash: 93718C74608284AFEB26DFA6C884FEABBB9FF49300F144859E94597261CB31AC45DB11

Function 009BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 009BAEF9
GetKeyboardState.USER32(?), ref: 009BAF0E
SetKeyboardState.USER32(?), ref: 009BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 009BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 009BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 009BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009BB020

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e75403ac9d23569ae37684b3fab4720c8c94e44f6dc20810c1a0bb7dfd2e37a3
Instruction ID: 37b6a4912af76d87a8f8d41544398b8dfe20aabea4e133393bb53195b2f9dda4
Opcode Fuzzy Hash: e75403ac9d23569ae37684b3fab4720c8c94e44f6dc20810c1a0bb7dfd2e37a3
Instruction Fuzzy Hash: CF51D1A06187D53DFB3652348E45BFBBEAD5B06324F088489E1E9558C2C3D9ECC8D751

Function 009BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009BAD19
GetKeyboardState.USER32(?), ref: 009BAD2E
SetKeyboardState.USER32(?), ref: 009BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009BAE38

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5e702596f88195692c9a85f1a158c388468198b5358475dc723f40f2105d719e
Instruction ID: e44c24aec4c3e174c4d2cfcd705fb8bc7c1cb6b727b342a95072f8e3468bd092
Opcode Fuzzy Hash: 5e702596f88195692c9a85f1a158c388468198b5358475dc723f40f2105d719e
Instruction Fuzzy Hash: 6051F6A15087D53DFB338334CE95BFA7EAD5B86710F088588E1D54A8C2C294EC88E762

Function 0098542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00993CD6,?,?,?,?,?,?,?,?,00985BA3,?,?,00993CD6,?,?), ref: 00985470
__fassign.LIBCMT ref: 009854EB
__fassign.LIBCMT ref: 00985506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00993CD6,00000005,00000000,00000000), ref: 0098552C
WriteFile.KERNEL32(?,00993CD6,00000000,00985BA3,00000000,?,?,?,?,?,?,?,?,?,00985BA3,?), ref: 0098554B
WriteFile.KERNEL32(?,?,00000001,00985BA3,00000000,?,?,?,?,?,?,?,?,?,00985BA3,?), ref: 00985584

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 48c52e98991a094b8e7ddd9cb2c6fc6ed2657dc09d31253b658a9391f822e197
Instruction ID: de63d4344eb5464ee3664c5ac149d2d15759d1ae547ac936dddaad3b99d21233
Opcode Fuzzy Hash: 48c52e98991a094b8e7ddd9cb2c6fc6ed2657dc09d31253b658a9391f822e197
Instruction Fuzzy Hash: 7151E3B1A006499FDB10DFA8D885AEEBBF9EF08300F15451AF955E7391D7309E46CB60

Function 00972D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00972D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00972D53
_ValidateLocalCookies.LIBCMT ref: 00972DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00972E0C
_ValidateLocalCookies.LIBCMT ref: 00972E61

Strings

csm, xrefs: 00972DF6

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 417d40e0b6f7d2c0681a44ce4558b698746d310304d9a389170c66130c7df450
Instruction ID: 6c25148bc88135230222a87f6bf503c89da402f9f8b2d34268a4a0db0b419c53
Opcode Fuzzy Hash: 417d40e0b6f7d2c0681a44ce4558b698746d310304d9a389170c66130c7df450
Instruction Fuzzy Hash: D1419236E10209ABCF20DF68CC55A9EBBB9BF84324F14C155E9186B392D731EA45CB91

Function 009D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009D307A
Part of subcall function 009D304E: _wcslen.LIBCMT ref: 009D309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009D1112
WSAGetLastError.WSOCK32 ref: 009D1121
WSAGetLastError.WSOCK32 ref: 009D11C9
closesocket.WSOCK32(00000000), ref: 009D11F9

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: a2ee54a599b509fb46039bb1767325f4d81c7f1a984a0254518aeb01c136634f
Instruction ID: bdc06b311612f1f622fbc0759dd564a59427c5aced9bd8efcf9846d46427d9ca
Opcode Fuzzy Hash: a2ee54a599b509fb46039bb1767325f4d81c7f1a984a0254518aeb01c136634f
Instruction Fuzzy Hash: C541F272604204AFDB10DF64C884BAABBE9EF85324F14C05AFD559F392C774AD46CBA1

Function 009BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009BCF22,?), ref: 009BDDFD

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009BCF22,?), ref: 009BDE16

lstrcmpiW.KERNEL32(?,?), ref: 009BCF45
MoveFileW.KERNEL32(?,?), ref: 009BCF7F
_wcslen.LIBCMT ref: 009BD005
_wcslen.LIBCMT ref: 009BD01B
SHFileOperationW.SHELL32(?), ref: 009BD061

Strings

\*.*, xrefs: 009BCFF3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: bc334e2353ee631639729a671fa7dcf5873a3b31e7735d1bcf3e12919420c67a
Instruction ID: 1bfb9de91303cd17c79e8bfe900cfed4dfd8af7fbe7cb5e97b617c2d45821307
Opcode Fuzzy Hash: bc334e2353ee631639729a671fa7dcf5873a3b31e7735d1bcf3e12919420c67a
Instruction Fuzzy Hash: 4A4169B190521C9FDF12EFA4CA81BED77BDAF48390F1004E6E549EB142EB34A645CB50

Function 009E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 009E2E1C
GetWindowLongW.USER32(?,000000F0), ref: 009E2E4F
GetWindowLongW.USER32(?,000000F0), ref: 009E2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 009E2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 009E2EE0
GetWindowLongW.USER32(?,000000F0), ref: 009E2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E2F0B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2e23575fe6761fdcec62f85a948921185fbd27f7cc54a20ff128eb0169178d2a
Instruction ID: 93719378fbd2a5e2df359a7318fcf161789d8fb3606b19f3526938f3a819ef34
Opcode Fuzzy Hash: 2e23575fe6761fdcec62f85a948921185fbd27f7cc54a20ff128eb0169178d2a
Instruction Fuzzy Hash: C73108316082A19FDB22CF59DC84F6537E9FB9AB10F1501A8F9419F2B2CB71AC42DB41

Function 009B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B778F
SysAllocString.OLEAUT32(00000000), ref: 009B7792
SysAllocString.OLEAUT32(?), ref: 009B77B0
SysFreeString.OLEAUT32(?), ref: 009B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009B77DE
SysAllocString.OLEAUT32(?), ref: 009B77EC

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d5b5c938911a6d6a2eb6811b244087fc4dbfaa6d2681e07e663135e3198169d5
Instruction ID: af7dbb28520078fcd292debb962139c21eee2de402a9b436cc7698235a13093b
Opcode Fuzzy Hash: d5b5c938911a6d6a2eb6811b244087fc4dbfaa6d2681e07e663135e3198169d5
Instruction Fuzzy Hash: 8721B276608219AFDB10DFA8DDC8DFBB7ACEB493647108525F914DF1A0DA70DC428760

Function 009B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B7868
SysAllocString.OLEAUT32(00000000), ref: 009B786B
SysAllocString.OLEAUT32 ref: 009B788C
SysFreeString.OLEAUT32 ref: 009B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 009B78AF
SysAllocString.OLEAUT32(?), ref: 009B78BD

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2f7ae7cd563aec85593ca580c1d54765ac91c8d5c5fe2d059562df351597f77e
Instruction ID: dcf304463c7a21554aaca5b76242c7a28cbf2aaa6518e69e8d2708c836c59a65
Opcode Fuzzy Hash: 2f7ae7cd563aec85593ca580c1d54765ac91c8d5c5fe2d059562df351597f77e
Instruction Fuzzy Hash: B5216072608204BFDB109FF8DDC8DAAB7ACEB497607108225F915CB2A1E674DC41DB64

Function 009C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C052E

Strings

nul, xrefs: 009C0567

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 78fe944e8967bf004578ff2bda5cb4f65035e3973ca4056ee4bec96bd47ca42d
Instruction ID: 439de64aa8f0adc464ce73b9ae404d9e33b3215d067f538f06582e60d9197bbc
Opcode Fuzzy Hash: 78fe944e8967bf004578ff2bda5cb4f65035e3973ca4056ee4bec96bd47ca42d
Instruction Fuzzy Hash: 16215CB5900345EBDF209F2AD844F9A7BA8BF84724F204A1DF8A1D62E0E770D941DF21

Function 009C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C0601

Strings

nul, xrefs: 009C0639

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d57f91f8b6f862207041a7876facde25bd7d0607cf90b27d88dfe81825b9c631
Instruction ID: a4b42d6cc85e697f7945d2164d6488aaa888b08a4160010916b729c2173ca8f8
Opcode Fuzzy Hash: d57f91f8b6f862207041a7876facde25bd7d0607cf90b27d88dfe81825b9c631
Instruction Fuzzy Hash: 9C219F75904315DBDB208F698D44F9A77A8AFC5B20F200B1DF8E1E72E0D7709861CB22

Function 009E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0095600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0095604C
Part of subcall function 0095600E: GetStockObject.GDI32(00000011), ref: 00956060
Part of subcall function 0095600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0095606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009E4145

Strings

Msctls_Progress32, xrefs: 009E40E3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: db0937063b9cdcc993ce4d6b7e7cb8d55c383893653aa776fca4bfd6445913c4
Instruction ID: 0462b037588f370c6dd602d8fd9ecf8b8a60a5c82ca05802ebaf93890f52e94b
Opcode Fuzzy Hash: db0937063b9cdcc993ce4d6b7e7cb8d55c383893653aa776fca4bfd6445913c4
Instruction Fuzzy Hash: D811B2B2150219BEEF118FA5CC85EE77FADFF18798F014120BA18A6190C676DC61DBA4

Function 0098D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0098D7A3: _free.LIBCMT ref: 0098D7CC

_free.LIBCMT ref: 0098D82D

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098D838
_free.LIBCMT ref: 0098D843
_free.LIBCMT ref: 0098D897
_free.LIBCMT ref: 0098D8A2
_free.LIBCMT ref: 0098D8AD
_free.LIBCMT ref: 0098D8B8

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: fa8813a4cc63bbe74e9c3185b76627e16394399da77ad02a7f341cc7a5f88429
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1211FEB1542B04AAE621BFB0CD47FCF7BDCAF85700F404825F299A66D2DA69B5058760

Function 009BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009BDA74
LoadStringW.USER32(00000000), ref: 009BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009BDA91
LoadStringW.USER32(00000000), ref: 009BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 009BDAB9

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 58ea342d6685030d171929376133f7d5da86c3482c956eb7e6bc18c3d58821cd
Instruction ID: 46f246afd24dc2c607d56d9fae78930f40510e2b5e022a44b689a5264516be33
Opcode Fuzzy Hash: 58ea342d6685030d171929376133f7d5da86c3482c956eb7e6bc18c3d58821cd
Instruction Fuzzy Hash: 5B0186F2514348BFEB119BE09DC9EEB736CEB08701F400891B796E6041E6749E858F74

Function 009C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(013CEEA0,013CEEA0), ref: 009C097B
EnterCriticalSection.KERNEL32(013CEE80,00000000), ref: 009C098D
TerminateThread.KERNEL32(?,000001F6), ref: 009C099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009C09A9
CloseHandle.KERNEL32(?), ref: 009C09B8
InterlockedExchange.KERNEL32(013CEEA0,000001F6), ref: 009C09C8
LeaveCriticalSection.KERNEL32(013CEE80), ref: 009C09CF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c76b7bbe5d8745b08ce7e951858851d9aec9428082ec3209ef26f927a6e00718
Instruction ID: 770330c43df494c77026d18826f7a2c98e12037f9ca4dc6b7896d7d6935b5809
Opcode Fuzzy Hash: c76b7bbe5d8745b08ce7e951858851d9aec9428082ec3209ef26f927a6e00718
Instruction Fuzzy Hash: FCF03171456642FBD7415F94EECCBD67B39FF41702F402015F251588A0C7749866DF90

Function 009D1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009D1DE1
WSAGetLastError.WSOCK32 ref: 009D1DF2
htons.WSOCK32(?,?,?,?,?), ref: 009D1EDB
inet_ntoa.WSOCK32(?), ref: 009D1E8C

Part of subcall function 009B39E8: _strlen.LIBCMT ref: 009B39F2

Part of subcall function 009D3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,009CEC0C), ref: 009D3240

_strlen.LIBCMT ref: 009D1F35

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 458dc022dcd7c21a420acf90aa3efad38ef9d7a7fe5c2f169e9d93081b09d3d9
Instruction ID: 5a780bcf94d2a5f48883a92ac305d924d4baa1e7ec23edbc81c4788f09315744
Opcode Fuzzy Hash: 458dc022dcd7c21a420acf90aa3efad38ef9d7a7fe5c2f169e9d93081b09d3d9
Instruction Fuzzy Hash: 35B1AC72244340AFD324DF24C895F2A7BA9AFC4318F54894DF8965B3A2DB31ED46CB91

Function 00955D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00955D30
GetWindowRect.USER32(?,?), ref: 00955D71
ScreenToClient.USER32(?,?), ref: 00955D99
GetClientRect.USER32(?,?), ref: 00955ED7
GetWindowRect.USER32(?,?), ref: 00955EF8

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: abe4edc66fbfb7baa5ff0886ef98d172f979a3a41cd73c3756bc9b2d400ec5c1
Instruction ID: a30868e8427f549e9429926c7b8c2c44c74adfadb673b74d90f2c889e0717d49
Opcode Fuzzy Hash: abe4edc66fbfb7baa5ff0886ef98d172f979a3a41cd73c3756bc9b2d400ec5c1
Instruction Fuzzy Hash: 1DB19B74A0064AEBDF10CFAAC481BEEB7F5FF08311F14881AE8A9D7250D734AA45DB50

Function 009801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009800D6
__allrem.LIBCMT ref: 009800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0098010B
__allrem.LIBCMT ref: 00980122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00980140

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 633dba28df89c79a1086ce52d61b5ac06bc7fe5ff4b32272c31594fc6fa379d6
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 2781E572A007069BE720AF68CC52B6A73E9EFC1734F24853AF555DB781EB74D9048B90

Function 009861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009782D9,009782D9,?,?,?,0098644F,00000001,00000001,8BE85006), ref: 00986258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0098644F,00000001,00000001,8BE85006,?,?,?), ref: 009862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009863D8
__freea.LIBCMT ref: 009863E5

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

__freea.LIBCMT ref: 009863EE
__freea.LIBCMT ref: 00986413

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c544635a6df085bf30d2c149807baf7e6597c9d610e12196c362018dd8dc0186
Instruction ID: 97fd4ebcad1c5199735d660fe269847466940b616014ab324e1db7c1c8827f9c
Opcode Fuzzy Hash: c544635a6df085bf30d2c149807baf7e6597c9d610e12196c362018dd8dc0186
Instruction Fuzzy Hash: CA51B072600216ABEB25AF64DC81FBF77AAEB84750F15466AFC05DB250EB34DC40D760

Function 009DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009DBD25
RegCloseKey.ADVAPI32(00000000), ref: 009DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009DBDF3
RegCloseKey.ADVAPI32(?), ref: 009DBDFF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 191c94621c350c8e1012c28835c74617dffdad1179b2367b881e3029bf131221
Instruction ID: 4d9e097af205aa92b37638123056979aeebb7badb9af54ca45d6b057ec39bf03
Opcode Fuzzy Hash: 191c94621c350c8e1012c28835c74617dffdad1179b2367b881e3029bf131221
Instruction Fuzzy Hash: 1F81A070218241EFD714DF24C891E2ABBE9FF84308F15895DF5998B2A2DB31ED45CB92

Function 009AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 009AF7B9
SysAllocString.OLEAUT32(00000001), ref: 009AF860
VariantCopy.OLEAUT32(009AFA64,00000000), ref: 009AF889
VariantClear.OLEAUT32(009AFA64), ref: 009AF8AD
VariantCopy.OLEAUT32(009AFA64,00000000), ref: 009AF8B1
VariantClear.OLEAUT32(?), ref: 009AF8BB

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 5b13054a1a97eacca00d7968b7efaa525bf85da7deb8d993660b3ca721375e8b
Instruction ID: 754ed443cbc41a993e860be31c2f34ae63932ded98f00126f4974a9e503426dc
Opcode Fuzzy Hash: 5b13054a1a97eacca00d7968b7efaa525bf85da7deb8d993660b3ca721375e8b
Instruction Fuzzy Hash: C051D935510310BADF14ABA5D8B5B2AB3A8EFC6310F244866F906DF291EB749C41C7D6

Function 009C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009C94E5
_wcslen.LIBCMT ref: 009C9506
_wcslen.LIBCMT ref: 009C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 009C9585

Strings

X, xrefs: 009C9412

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 364303c8b71550691b923620d70646a47568ac969ca921b528d1d01477597eda
Instruction ID: 1ef927eec40fb3b456174d7c7e28bc2cade0286f903bf49f2483a63fbaaf8a07
Opcode Fuzzy Hash: 364303c8b71550691b923620d70646a47568ac969ca921b528d1d01477597eda
Instruction Fuzzy Hash: 3AE17B31A083518FD724DF25C885F6AB7E4BF85314F04896DF8999B2A2EB31DD05CB92

Function 0096920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

BeginPaint.USER32(?,?,?), ref: 00969241
GetWindowRect.USER32(?,?), ref: 009692A5
ScreenToClient.USER32(?,?), ref: 009692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009692D3
EndPaint.USER32(?,?,?,?,?), ref: 00969321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009A71EA

Part of subcall function 00969339: BeginPath.GDI32(00000000), ref: 00969357

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 65735abfd563a84bf7d2a1d8d713e8041d2af6dfc018c6bee4bf58e07124ad1f
Instruction ID: 12aef1d06a6f47335814ffbd95f224153b979a360715d4857ddd9d00d79178b6
Opcode Fuzzy Hash: 65735abfd563a84bf7d2a1d8d713e8041d2af6dfc018c6bee4bf58e07124ad1f
Instruction Fuzzy Hash: 9141AD70108341AFD721DF68CCD5FBA7BECEB96720F040629F9A48B2A1C7319846DB61

Function 009C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 009C0847
EnterCriticalSection.KERNEL32(?), ref: 009C0863
LeaveCriticalSection.KERNEL32(?), ref: 009C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 009C0921

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: d404d40e6139e9f03ce0789dd4677dd087372d017c93403578d71aa4486b2500
Instruction ID: 2181b24c5e8a6528d7c7e1ac18b22758e9b2da5903e8675cd9463c8679dfb3c8
Opcode Fuzzy Hash: d404d40e6139e9f03ce0789dd4677dd087372d017c93403578d71aa4486b2500
Instruction Fuzzy Hash: 37415972900205EBDF159F54DC85BAA7B78FF84300F1480A9ED049E297D731DE61DBA0

Function 009E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,009AF3AB,00000000,?,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 009E824C
EnableWindow.USER32(?,00000000), ref: 009E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009E82D1
ShowWindow.USER32(?,00000004), ref: 009E82E5
EnableWindow.USER32(?,00000001), ref: 009E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009E832F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1f8cf8795ca2ca1d55185360da656ffaabb8cd43e13c6c9abf5d5de785348bd9
Instruction ID: 19ddb91da0d09704715f6b9fdbe5199e6023615d15c4976b4aedd7665b1460e6
Opcode Fuzzy Hash: 1f8cf8795ca2ca1d55185360da656ffaabb8cd43e13c6c9abf5d5de785348bd9
Instruction Fuzzy Hash: C941C730601684EFDB26CF96C895BE57BE4FB0A754F185169E61C5F362CB32AC42CB50

Function 009B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009B4CEA
_wcslen.LIBCMT ref: 009B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009B4D10
_wcsstr.LIBVCRUNTIME ref: 009B4D1A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 12a208d32d29716056dc15f86032bce1214a3fc5fc4389ef6c2d0cea90ad4d64
Instruction ID: 8ede2469cbbc5cbe6a389b9b4435a1f4eb221f3b20144c80ea85fa83fc8377dc
Opcode Fuzzy Hash: 12a208d32d29716056dc15f86032bce1214a3fc5fc4389ef6c2d0cea90ad4d64
Instruction Fuzzy Hash: 5E21F972604241BBEB155B39ED49FBB7FACDF85B60F10802DF849CE193DA65DC01A6A0

Function 009C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

_wcslen.LIBCMT ref: 009C587B
CoInitialize.OLE32(00000000), ref: 009C5995
CoCreateInstance.OLE32(009EFCF8,00000000,00000001,009EFB68,?), ref: 009C59AE
CoUninitialize.OLE32 ref: 009C59CC

Strings

.lnk, xrefs: 009C5876, 009C58C1, 009C5985

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 8390c88b71769d1d4e76ea35a67d1e2ba03ed7645dc771405bc5e17e51b06eb4
Instruction ID: 848f5eaca17f844b1f0eec87de107249fd3ee3ecb36ec27fa37e076d95777d0d
Opcode Fuzzy Hash: 8390c88b71769d1d4e76ea35a67d1e2ba03ed7645dc771405bc5e17e51b06eb4
Instruction Fuzzy Hash: F2D16371A087019FC704DF25C480E2ABBE5EF89714F15899DF88A9B361DB31ED85CB92

Function 009B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B0FCA
Part of subcall function 009B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B0FD6
Part of subcall function 009B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B0FE5
Part of subcall function 009B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B0FEC
Part of subcall function 009B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B1002

GetLengthSid.ADVAPI32(?,00000000,009B1335), ref: 009B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009B17BA
HeapAlloc.KERNEL32(00000000), ref: 009B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009B17DA
GetProcessHeap.KERNEL32(00000000,00000000,009B1335), ref: 009B17EE
HeapFree.KERNEL32(00000000), ref: 009B17F5

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 75d9fcd4cf8751feae08bec54c18f4f7d6880691f966e071478a692ef4133015
Instruction ID: ee878ca8ff158f289814f5023f7ac2a96842bbf56e916cfe5910b945c9b5a749
Opcode Fuzzy Hash: 75d9fcd4cf8751feae08bec54c18f4f7d6880691f966e071478a692ef4133015
Instruction Fuzzy Hash: D611AC72614205FFDB109FA4CD99BEE7BADEB42365F504018F8819B210CB35AD41DB60

Function 009B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 009B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009B1515
CloseHandle.KERNEL32(00000004), ref: 009B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 009B1563

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e28b9aaf347816c8321d6812ce9485c2dd97b513817e6d3d218f6e43e38d0b6e
Instruction ID: 71a53b65e416cb028f12e94bbd33faa3f599fdbeabb1ed01b469b176ba5c7fa7
Opcode Fuzzy Hash: e28b9aaf347816c8321d6812ce9485c2dd97b513817e6d3d218f6e43e38d0b6e
Instruction Fuzzy Hash: 8A1129B2604249EBDF11CF98DE49BDE7BADEF48754F044025FA45A6060C3768E61EB60

Function 00973382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00973379,00972FE5), ref: 00973390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0097339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009733B7
SetLastError.KERNEL32(00000000,?,00973379,00972FE5), ref: 00973409

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0b00d3cf04ebd5b0b2b6e49b4cc4c21b40cd1d5d35f301c4ce4b1622dcdb5cad
Instruction ID: af5b2c6f02874494aa89b34242f9061edad3bce5f9f134dfd27ca895ec70b9b9
Opcode Fuzzy Hash: 0b00d3cf04ebd5b0b2b6e49b4cc4c21b40cd1d5d35f301c4ce4b1622dcdb5cad
Instruction Fuzzy Hash: 97012433248711BEE62567B47C86AA72A9DEB49779330C229F418842F1FF114D027244

Function 00982D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00985686,00993CD6,?,00000000,?,00985B6A,?,?,?,?,?,0097E6D1,?,00A18A48), ref: 00982D78
_free.LIBCMT ref: 00982DAB
_free.LIBCMT ref: 00982DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0097E6D1,?,00A18A48,00000010,00954F4A,?,?,00000000,00993CD6), ref: 00982DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0097E6D1,?,00A18A48,00000010,00954F4A,?,?,00000000,00993CD6), ref: 00982DEC
_abort.LIBCMT ref: 00982DF2

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2cecba1dad344a0f31d5ef5c4927e86f8822e122ebb63d8cb2d1451633909d04
Instruction ID: 109817bfc6067db49afa396e5161870021f15b0f48afff4d9df2164f95bd85ac
Opcode Fuzzy Hash: 2cecba1dad344a0f31d5ef5c4927e86f8822e122ebb63d8cb2d1451633909d04
Instruction Fuzzy Hash: B3F0C87654960137C6127778BC06F5B2A5DAFC27B1F254518F825D73D2EF28DC025360

Function 009E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00969639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00969693
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696A2
Part of subcall function 00969639: BeginPath.GDI32(?), ref: 009696B9
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 009E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 009E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 009E8A70
LineTo.GDI32(?,00000000,00000003), ref: 009E8A80
EndPath.GDI32(?), ref: 009E8A90
StrokePath.GDI32(?), ref: 009E8AA0

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d3a6d0be53776330014672ff86958b1a070907faa216fe835e2a64813f460cdd
Instruction ID: a4c4a55735cf9a76e25d8d6eb64e1e541f6492d58d20d6fe646918bfb3b35588
Opcode Fuzzy Hash: d3a6d0be53776330014672ff86958b1a070907faa216fe835e2a64813f460cdd
Instruction Fuzzy Hash: 94111E7600414CFFDF129F94DC88EAA7F6CEB04355F008021FA599A161C7719D56DF60

Function 009B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 009B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009B5230
ReleaseDC.USER32(00000000,00000000), ref: 009B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 009B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 009B5261

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0216d2d3dcb744ac48ebe5b2bc454bc3ed2a0ae77d17631e63f62782c82cee2f
Instruction ID: 70f77da14c7ef279cc17beb844388c7ccc99cc3639d726c8b3ad98ec6e28ffb3
Opcode Fuzzy Hash: 0216d2d3dcb744ac48ebe5b2bc454bc3ed2a0ae77d17631e63f62782c82cee2f
Instruction Fuzzy Hash: 6E018FB5A05709BBEF109BE59C89B4EBFB8EB88751F044065FA04AB281D6709C01DBA0

Function 00951BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00951BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00951BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00951C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00951C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00951C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00951C22

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2d81dc2deb03db841c871f1197c86a255fa93e8517f14873a658b7fcb8a811dc
Instruction ID: d1266caf9e0bc77130e509beeac0e653762a08c67d65adc68201d6c676a3738d
Opcode Fuzzy Hash: 2d81dc2deb03db841c871f1197c86a255fa93e8517f14873a658b7fcb8a811dc
Instruction Fuzzy Hash: E50144B0902B5ABDE3008F6A8C85A52FFA8FF19754F00411BA15C4BA42C7B5A864CBE5

Function 009BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 009BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009BEB75

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3e08248f076385a5e5755752b7212c11ef9bb64b651849de926e1544aeb46e2f
Instruction ID: ecb2f0ad360f0b0f4aeab63418c0dacb31edab8d058e2457c5ace89057803a5d
Opcode Fuzzy Hash: 3e08248f076385a5e5755752b7212c11ef9bb64b651849de926e1544aeb46e2f
Instruction Fuzzy Hash: 21F030B2154199BBE72157529C4DEEF3A7CEFCAF11F000158FA41D5091D7A05E02D6B5

Function 009A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 009A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 009A7469
GetWindowDC.USER32(?), ref: 009A7475
GetPixel.GDI32(00000000,?,?), ref: 009A7484
ReleaseDC.USER32(?,00000000), ref: 009A7496
GetSysColor.USER32(00000005), ref: 009A74B0

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: ced80e3dfc35c4f21aee98961186d16639a5114211a1018867b203ab094456ad
Instruction ID: 4d842d7c27a6d162d9636c4fcfb3a301b56db589db45ffb53a38e7f2f70784ba
Opcode Fuzzy Hash: ced80e3dfc35c4f21aee98961186d16639a5114211a1018867b203ab094456ad
Instruction Fuzzy Hash: D6018B71418255FFDB509FA4DC49BAABBB6FB08311F100064F966A60B1CB311E42AB50

Function 009B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009B187F
UnloadUserProfile.USERENV(?,?), ref: 009B188B
CloseHandle.KERNEL32(?), ref: 009B1894
CloseHandle.KERNEL32(?), ref: 009B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009B18A5
HeapFree.KERNEL32(00000000), ref: 009B18AC

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6660ad93cf14820df4a919cdeaf17aa83d6525dac35a9feca2bb41f92319c0ac
Instruction ID: 859f4c4b9e602df8f6797edcf4f95db82bafd9bca6b699148d5e20feafe8fa52
Opcode Fuzzy Hash: 6660ad93cf14820df4a919cdeaf17aa83d6525dac35a9feca2bb41f92319c0ac
Instruction Fuzzy Hash: B2E01AB601C241BFDB015FA1ED4CD0ABF39FF4AB22B108220F66589070CB329822EF50

Function 009BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009BC6EE
_wcslen.LIBCMT ref: 009BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009BC7CA

Strings

0, xrefs: 009BC6AF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: be211743c18a0be469c316a3ee4b8f9baad336af68a2379bb95849ddc7386777
Instruction ID: 1f0804d23046e713bf616f68b01e44121d3da28ed4f7286363ae0c9e237b8e7a
Opcode Fuzzy Hash: be211743c18a0be469c316a3ee4b8f9baad336af68a2379bb95849ddc7386777
Instruction Fuzzy Hash: 7051D0F16183019BD714DF28CA95BAB77E8AF89320F040A2DF995E31A0DB74DD04CB52

Function 009DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 009DAEA3

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

GetProcessId.KERNEL32(00000000), ref: 009DAF38
CloseHandle.KERNEL32(00000000), ref: 009DAF67

Strings

<, xrefs: 009DAE6B
@, xrefs: 009DAE72

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 0632d61b64fe658ff447ccf03762476a42bf2b05a68bc04251ab65170c04d91f
Instruction ID: 227ac1ec3d2e3a2ee37912624736fef153703f959cab6925290baed33196e499
Opcode Fuzzy Hash: 0632d61b64fe658ff447ccf03762476a42bf2b05a68bc04251ab65170c04d91f
Instruction Fuzzy Hash: 14718A71A00219DFCB14DF95D484A9EBBF4FF48310F04849AE856AB3A2D774EE45CBA1

Function 009B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009B72CF

Strings

DllGetClassObject, xrefs: 009B7242

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5cb8cfc29f3f080da3e44a1c78c00a18ce5d34b6d3b10f18787683abae2c85ff
Instruction ID: 377bb322911d7c7b374c5cb36f6716366d1cec2aa64d56aa7b4755d9f6b8f230
Opcode Fuzzy Hash: 5cb8cfc29f3f080da3e44a1c78c00a18ce5d34b6d3b10f18787683abae2c85ff
Instruction Fuzzy Hash: 974171B1A04204EFDB15CF94C984ADABBA9EF84320F1485ADBD159F20AD7B0DD45CBA0

Function 009E3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E3E35
IsMenu.USER32(?), ref: 009E3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E3E92
DrawMenuBar.USER32 ref: 009E3EA5

Strings

0, xrefs: 009E3D89

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b7e0367bbf3ab2e8f31bb809ecdaa64d4da5273d1b97cc73fdadd51bace19027
Instruction ID: 717b494924d3bfd2f8e47bf13edfc5ad6663a7589c48a0e814795102994ed991
Opcode Fuzzy Hash: b7e0367bbf3ab2e8f31bb809ecdaa64d4da5273d1b97cc73fdadd51bace19027
Instruction Fuzzy Hash: 4E417775A10249AFDB25DF61D888AAABBB9FF48350F048129F805AB250C730AE41CF50

Function 009B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009B1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009B1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 009B1EA9

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Strings

ComboBox, xrefs: 009B1DF0
ListBox, xrefs: 009B1E25

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0dc7dfaed7f4e91b75b5d86e37bb97755a7fae59ee564c9a89e9d9de415df4ed
Instruction ID: 375eb6114bad3f9b4cad3708f1b9a119b6f2657c6fc09a8280247882c6ba7ccd
Opcode Fuzzy Hash: 0dc7dfaed7f4e91b75b5d86e37bb97755a7fae59ee564c9a89e9d9de415df4ed
Instruction Fuzzy Hash: 85217771A00104BEDB04ABA1DD96DFFBBBCEF81360B504419FC65A71E1DB388D0A8720

Function 009E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009E2F8D
LoadLibraryW.KERNEL32(?), ref: 009E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009E2FA9
DestroyWindow.USER32(?), ref: 009E2FB1

Strings

SysAnimate32, xrefs: 009E2F68

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 1404807aee170ab75bd9942c72347c384a596e3511a9858bbec2e3797ac05e9a
Instruction ID: e8412e8f104b0dc6030e5674b27c5e9ff1c2f1db4a0536b76c734d2737b8a299
Opcode Fuzzy Hash: 1404807aee170ab75bd9942c72347c384a596e3511a9858bbec2e3797ac05e9a
Instruction Fuzzy Hash: 0821C072604285ABEB124F66DC81FBB37BDFB59364F100A28F950D6190D771DC519760

Function 00974D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00974D1E,009828E9,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002), ref: 00974D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00974DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00974D1E,009828E9,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002,00000000), ref: 00974DC3

Strings

mscoree.dll, xrefs: 00974D86
CorExitProcess, xrefs: 00974D98

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6d8b8cb742dcc3cf26fb2a67a29c6df123e158968f318e2cae7b08567dc0a39e
Instruction ID: de233ef61719d30299ce8c582abfb56da8342175d5b54c869373c3e3abbd5a0a
Opcode Fuzzy Hash: 6d8b8cb742dcc3cf26fb2a67a29c6df123e158968f318e2cae7b08567dc0a39e
Instruction Fuzzy Hash: ECF06275A54308BBDB119F90DC49BEDBFB9EF84752F0040A8F949A62A1DB30AD41DB90

Function 00954E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00954EAE
FreeLibrary.KERNEL32(00000000,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00954EA8
kernel32.dll, xrefs: 00954E94

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: be2212f92a267e9a66127e02551b50c682b27c71d4a7a843b40949c3357c451e
Instruction ID: 6dbc4feb8a200a014b8157f21597533f174d4d7895dbcbdedda13492c4542f71
Opcode Fuzzy Hash: be2212f92a267e9a66127e02551b50c682b27c71d4a7a843b40949c3357c451e
Instruction Fuzzy Hash: 11E0CD76E196225FD3725B266C1DB5F655CAFC2F677050115FC40D7100DB60CD4B91A0

Function 00954E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00954E74
FreeLibrary.KERNEL32(00000000,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00954E6E
kernel32.dll, xrefs: 00954E5B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 025f50d6a0fb54c43a4f691e0b31e1de92e023fe04c537d2c00ad73c9d75bdbf
Instruction ID: cd5fc089894a196fe3a339bacb3f7e9a4cdb3ac452ec2f29d906931b0672da87
Opcode Fuzzy Hash: 025f50d6a0fb54c43a4f691e0b31e1de92e023fe04c537d2c00ad73c9d75bdbf
Instruction Fuzzy Hash: 95D0C23291A6616B4A621B267C09D8B2A1CAF81F2A3050514BC41A6110CF20CD4AD2D1

Function 009C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C2C05
DeleteFileW.KERNEL32(?), ref: 009C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C2CC0

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ac19f37d5004b5914f3e0312586e9755881357dcfe263802dad58bdfe21c1aa9
Instruction ID: 0ac09d4ae798fa6b43d21e195fcd1382e5989fe8fe2ef60d353e542a16748285
Opcode Fuzzy Hash: ac19f37d5004b5914f3e0312586e9755881357dcfe263802dad58bdfe21c1aa9
Instruction Fuzzy Hash: 18B13D72D01119ABDF11DBA4CC85FDEBB7DEF89350F1040AAFA09E6181EA309E448F61

Function 009DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 009DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009DA468
CloseHandle.KERNEL32(?), ref: 009DA63D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 66a12a3d26431f9ef60d1303d00f8ec873faff9986650931da8e0b0f5599e4a3
Instruction ID: 857a90c2d26fa639759dc059d3708daa7f8ba1fc90b3a6af05eac08582294eb1
Opcode Fuzzy Hash: 66a12a3d26431f9ef60d1303d00f8ec873faff9986650931da8e0b0f5599e4a3
Instruction Fuzzy Hash: 06A1AFB16043009FD720DF25D886F2AB7E5AF84714F14885DF99A9B392DBB0EC45CB82

Function 0098BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009F3700), ref: 0098BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A2121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0098BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A21270,000000FF,?,0000003F,00000000,?), ref: 0098BC36
_free.LIBCMT ref: 0098BB7F

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098BD4B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: adc4b2b7fb1cdfaeee76ddd8498c90169d4f09fdb6900a26aa1f59469272ce8d
Instruction ID: b0599a9bba1d367d40407c2af1cef116808d9a31d8d40476db0827ff0bdbd44a
Opcode Fuzzy Hash: adc4b2b7fb1cdfaeee76ddd8498c90169d4f09fdb6900a26aa1f59469272ce8d
Instruction Fuzzy Hash: 8F51B871904209EFCB20FFA99C81ABEB7BCAF94310B18467AF554D7391EB309E428750

Function 009BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009BCF22,?), ref: 009BDDFD

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009BCF22,?), ref: 009BDE16

Part of subcall function 009BE199: GetFileAttributesW.KERNEL32(?,009BCF95), ref: 009BE19A

lstrcmpiW.KERNEL32(?,?), ref: 009BE473
MoveFileW.KERNEL32(?,?), ref: 009BE4AC
_wcslen.LIBCMT ref: 009BE5EB
_wcslen.LIBCMT ref: 009BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 009BE650

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 69813f56267c0b48f33b95887b9e41cb0517b7647fe34d3e0b6cdcfed624ef61
Instruction ID: 800d3c690db677b67066aeb1af3cd38321d3b2539bfe5016638e423dfed3487c
Opcode Fuzzy Hash: 69813f56267c0b48f33b95887b9e41cb0517b7647fe34d3e0b6cdcfed624ef61
Instruction Fuzzy Hash: 0B5172B24083859BD724DBA4D881ADB73EDAFC4350F00492EF689D3191EF74A68C8766

Function 009DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009DBB63
RegCloseKey.ADVAPI32(?,?), ref: 009DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 009DBBB3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 268e913065e23d539d8c44871f6f5e61bf310dae7dc5c240d653036dbd5249fe
Instruction ID: 8efe4e5d6d593f75bb6cf27340d4b3d90fd09c6f71f9a6547657751cf6786fde
Opcode Fuzzy Hash: 268e913065e23d539d8c44871f6f5e61bf310dae7dc5c240d653036dbd5249fe
Instruction Fuzzy Hash: 1661AD71208241EFD714DF14C490E2ABBE9FF84308F55895EF4998B2A2DB35ED46CB92

Function 009B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B8BCD
VariantClear.OLEAUT32 ref: 009B8C3E
VariantClear.OLEAUT32 ref: 009B8C9D
VariantClear.OLEAUT32(?), ref: 009B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009B8D3B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a621c28d63fd94a5d562bed244e828532d5769f88a6f1a266cfa8584180fd3a8
Instruction ID: 9068806f475d322d1b7631621551949dee93f453217d267a5029cc4913b65354
Opcode Fuzzy Hash: a621c28d63fd94a5d562bed244e828532d5769f88a6f1a266cfa8584180fd3a8
Instruction Fuzzy Hash: E4516AB5A10219EFCB10CF68C894AAAB7F9FF8D310B15855AE949DB350E730E911CF90

Function 009C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 009C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009C8C5F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 4046d33083eb9b2c1fa801a0260fb8396c1dfa467853baa80d4940df093b1239
Instruction ID: 830da4ee1dfe8c13bc00d61f5f3a6cf175399bdaef2bb0096550af3b143c9ed8
Opcode Fuzzy Hash: 4046d33083eb9b2c1fa801a0260fb8396c1dfa467853baa80d4940df093b1239
Instruction Fuzzy Hash: 78516A75A00214AFCB05DF65C880E6EBBF5FF88314F088458E849AB362DB31ED56CB91

Function 009D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 009D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 009D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 009D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 009D9032
FreeLibrary.KERNEL32(00000000), ref: 009D9052

Part of subcall function 0096F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,009C1043,?,7529E610), ref: 0096F6E6
Part of subcall function 0096F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,009AFA64,00000000,00000000,?,?,009C1043,?,7529E610,?,009AFA64), ref: 0096F70D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f8f4836f84d71ab2ae9cb506d5dfa8408ac7848a5f8ed4f24179a8c8eec9710a
Instruction ID: 060d274c6b59b82fc3abef47aec04c8286047aa9914f387ea8f0a635afb0a84f
Opcode Fuzzy Hash: f8f4836f84d71ab2ae9cb506d5dfa8408ac7848a5f8ed4f24179a8c8eec9710a
Instruction Fuzzy Hash: 06516C34604205DFC705EF68C4949ADBBF5FF89314B04C0A9E80A9B362DB31ED8ACB90

Function 009E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 009E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 009E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 009E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,009CAB79,00000000,00000000), ref: 009E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 009E6CC7

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 34f4bd17510f6e2cef2f16e1a1548a9badf201afb6c9e24cdc8433fae71f55c7
Instruction ID: 23a0ce3622a25c98507e393d63187ba7f4c45f4bfbe6501a76e6e16e206edba1
Opcode Fuzzy Hash: 34f4bd17510f6e2cef2f16e1a1548a9badf201afb6c9e24cdc8433fae71f55c7
Instruction Fuzzy Hash: 4141E635A04184AFD726CF6ACC95FB57BA9EB19390F240628FED5A72E0C371AD41DA40

Function 00982051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009820C3
_free.LIBCMT ref: 009820E3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a5d8309b955d17ca76c6d9459d2b673a10c455daa5bc84442662bbbd46212ba7
Instruction ID: 7f06820ce8a0c8ecdf195aaa98c58ac9ca126ac3c6b0b9fdf5e851e8ff7f5904
Opcode Fuzzy Hash: a5d8309b955d17ca76c6d9459d2b673a10c455daa5bc84442662bbbd46212ba7
Instruction Fuzzy Hash: 0A41F672A002009FCB24EF78C885A5DB7F5EF89314F258569E515EB392D731ED01CB80

Function 0096912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00969141
ScreenToClient.USER32(00000000,?), ref: 0096915E
GetAsyncKeyState.USER32(00000001), ref: 00969183
GetAsyncKeyState.USER32(00000002), ref: 0096919D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 73665da747a09d9513db2b427302e1d03da00415da60a0a8713c1e2d2e00f27d
Instruction ID: 22d79e8636dc816252bbd6e9802c50458d806b61bb2dfd7478758516ca45cd42
Opcode Fuzzy Hash: 73665da747a09d9513db2b427302e1d03da00415da60a0a8713c1e2d2e00f27d
Instruction Fuzzy Hash: D1417F71A0C60AFBDF059FA8C844BEEF7B8FB46320F208615E465A7290C7346D54DB91

Function 009C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 009C3922
TranslateMessage.USER32(?), ref: 009C394B
DispatchMessageW.USER32(?), ref: 009C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009C3966

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: a41423d4cad1daff0daeeb5dbc42942b61571d163c9e4b73e550354c5898440b
Instruction ID: 9d8eab7f5455eb7a23c5e2e32facf0c3fe1a53bf99d4e812bc26d6c318a2f0ff
Opcode Fuzzy Hash: a41423d4cad1daff0daeeb5dbc42942b61571d163c9e4b73e550354c5898440b
Instruction Fuzzy Hash: 52319770D08382DFEB35CB799848FB637ACAB15304F04C57DE452961A0E7B59A86DB13

Function 009CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,009CC21E,00000000), ref: 009CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 009CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,009CC21E,00000000), ref: 009CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,009CC21E,00000000), ref: 009CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,009CC21E,00000000), ref: 009CCFF2

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: b091f6429fd5ecfa354773e55e014c38a7df35b030853500df9946a72d8f3321
Instruction ID: 7c81a07f1a47cea87859abb6f52f5e842be5810dabcc569790ffb6efa80ad853
Opcode Fuzzy Hash: b091f6429fd5ecfa354773e55e014c38a7df35b030853500df9946a72d8f3321
Instruction Fuzzy Hash: 743147B1A04205AFDB20DFA5D884FAABFFEEB14351B10442EF55AD6241DB30EE419B61

Function 009B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009B19E2

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 0efc7c65c23ee538380fb460c5ce249088f822f9345a40d57596f053b75c1372
Instruction ID: de6f979d617bf279fecd6f408893d3ab0efb739dd06e52f8a2997f4b59782837
Opcode Fuzzy Hash: 0efc7c65c23ee538380fb460c5ce249088f822f9345a40d57596f053b75c1372
Instruction Fuzzy Hash: 4631D171A00259EFCB04CFA8DEA9ADE3BB5EB45325F104229F961EB2D1C7709D44DB90

Function 009E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 009E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 009E579D
_wcslen.LIBCMT ref: 009E57AF
_wcslen.LIBCMT ref: 009E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E5816

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9a09c93ba756f415d1f148cd4c29767aefa75522e9e93b34931e58e9d7c2716f
Instruction ID: a69fbb205450a3ae857644aa4362fbebb4aa1a6576e20cc4e22c6508ea7bb263
Opcode Fuzzy Hash: 9a09c93ba756f415d1f148cd4c29767aefa75522e9e93b34931e58e9d7c2716f
Instruction Fuzzy Hash: D321D571904698DADB219FA2CC84AEE77BCFF40728F108216E919EB1C1E7708D81CF50

Function 009D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009D0951
GetForegroundWindow.USER32 ref: 009D0968
GetDC.USER32(00000000), ref: 009D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 009D09B0
ReleaseDC.USER32(00000000,00000003), ref: 009D09E8

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4ff9f2403d9d596fa785c4b9dd808543ec99e7b87acb1435266cddcf6c630879
Instruction ID: 32d2dfb84e163566aafcc2d17fddb3b82241a851c6166d08d495cb8ac1fbae48
Opcode Fuzzy Hash: 4ff9f2403d9d596fa785c4b9dd808543ec99e7b87acb1435266cddcf6c630879
Instruction Fuzzy Hash: 7D21A475A00204AFD704EF65D884B5EB7E5EF84740F00842DF886D7352DB30AC05DB50

Function 0098CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0098CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0098CDE9

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0098CE0F
_free.LIBCMT ref: 0098CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0098CE31

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 646e21524295e8951c2fe286ff1c7fca8b0242a73cf1797756026484c068ca64
Instruction ID: 63b3b1dfd7c2f8675832e932454fb5348285cdfe484b22493e836da078c3f33b
Opcode Fuzzy Hash: 646e21524295e8951c2fe286ff1c7fca8b0242a73cf1797756026484c068ca64
Instruction Fuzzy Hash: 2301F7F26052557FA32136B66C8CD7B7A6DEFC6BA13154129FD05C7302EA718D0293B0

Function 00969639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00969693
SelectObject.GDI32(?,00000000), ref: 009696A2
BeginPath.GDI32(?), ref: 009696B9
SelectObject.GDI32(?,00000000), ref: 009696E2

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5fadd54578c344cc01f196d10c68e39577c6dbff354c07bc82d5b9426af69ab1
Instruction ID: ffaa632bb975c0ef5f67db03a22237f45f1a7ab8c8296ffea9b388cd6c304d1f
Opcode Fuzzy Hash: 5fadd54578c344cc01f196d10c68e39577c6dbff354c07bc82d5b9426af69ab1
Instruction Fuzzy Hash: 9F2180B0816345EBDF21DFA8EC497B97BACBB61355F100226F420A61B0D3705893DF90

Function 009B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 009B5726
_memcmp.LIBVCRUNTIME ref: 009B5744
_memcmp.LIBVCRUNTIME ref: 009B5757
_memcmp.LIBVCRUNTIME ref: 009B576F
_memcmp.LIBVCRUNTIME ref: 009B5787

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7c3b46483999486ec9e1d9a6c8d356633bd975434a79c0b38ac6b09eae0db9c2
Instruction ID: a947b80bbebeec159fed2ea8ac0aeaa337f82ac48bce20c324a72657327932c2
Opcode Fuzzy Hash: 7c3b46483999486ec9e1d9a6c8d356633bd975434a79c0b38ac6b09eae0db9c2
Instruction Fuzzy Hash: B401B572741609BBE20955159FD2FFB735C9BA13BCF254021FD0C9A241FB60EE1182A0

Function 0096990E Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009698CC
SetTextColor.GDI32(?,?), ref: 009698D6
SetBkMode.GDI32(?,00000001), ref: 009698E9
GetStockObject.GDI32(00000005), ref: 009698F1
GetWindowLongW.USER32(?,000000EB), ref: 00969952

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 9986395efb0f7ced439f67a94e6e0bdf0be23390c8387c2126dffe4df5616b6f
Instruction ID: afe55ad672d3fe431c6af845ae73b2b943955d58c4012ff7725fee7006c33162
Opcode Fuzzy Hash: 9986395efb0f7ced439f67a94e6e0bdf0be23390c8387c2126dffe4df5616b6f
Instruction Fuzzy Hash: CA1138316492509BC7218B74EC99AFA3B6CEB56335F08021DF1E24E1E1CB310C82DB50

Function 00982DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0097F2DE,00983863,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6), ref: 00982DFD
_free.LIBCMT ref: 00982E32
_free.LIBCMT ref: 00982E59
SetLastError.KERNEL32(00000000,00951129), ref: 00982E66
SetLastError.KERNEL32(00000000,00951129), ref: 00982E6F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: eef3d24bf06bf9f535578b4c107598064287a7a442c3fd0a14d5269990aaad05
Instruction ID: ccf26208bd827aaaabef631b40ea65a56dfc45b58f849986375870ced529adc4
Opcode Fuzzy Hash: eef3d24bf06bf9f535578b4c107598064287a7a442c3fd0a14d5269990aaad05
Instruction Fuzzy Hash: 290128722456007BC61277786C89E6B265DAFC17B1B218538F865E33D3EF38CC025324

Function 009B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?,?,009B035E), ref: 009B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?), ref: 009B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0070

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: fa63ba14cf84da2947fac34bcf922a4525fdc5c78aaeb56f0637bdf84b0198f7
Instruction ID: 21a35fbe64f393b6c83654f259b74fb2bbce1767a18bb158a400d5b85f256eff
Opcode Fuzzy Hash: fa63ba14cf84da2947fac34bcf922a4525fdc5c78aaeb56f0637bdf84b0198f7
Instruction Fuzzy Hash: 4701F2B2614208BFDB115F68DE44BEB7AEDEF843A1F104024F845D6210D770CD00DBA0

Function 009BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 009BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 009BE9A5
Sleep.KERNEL32(00000000), ref: 009BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 009BE9B7
Sleep.KERNEL32 ref: 009BE9F3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f127f6114421daefa7af05156c2e68c265b6f94208434e12e8323ea89ed91861
Instruction ID: 01e4077231e59c94ddf9cceeb162ff816a5dc6d12632b37ec3275d1992b46382
Opcode Fuzzy Hash: f127f6114421daefa7af05156c2e68c265b6f94208434e12e8323ea89ed91861
Instruction Fuzzy Hash: CD015B71C0592DDBCF009FE5D999ADDBB7CBB09321F000546E542B2241CB3499599BA1

Function 009B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B114D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 256aaaedfbeb82a049dbdaac0c17f86f5bf8bec61aacee08478ad995cf09faac
Instruction ID: c6bcadc0d6a03f8e48e5eb6b805fe0634ecd86504e63affff97d13e527f20330
Opcode Fuzzy Hash: 256aaaedfbeb82a049dbdaac0c17f86f5bf8bec61aacee08478ad995cf09faac
Instruction Fuzzy Hash: EB0131B5114205BFDB114F69DC99EAA3F6EEF86360B504419FA85D7350DB31DC019A60

Function 009B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B1002

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f05ad00e40066b9842b9eca7ee6a08eadd05ca096655dfba9a6abbee256db956
Instruction ID: 0804f5e99a2ab756aa19820a50659d30f95bb54c1c4248e3ab4a86af08ec0254
Opcode Fuzzy Hash: f05ad00e40066b9842b9eca7ee6a08eadd05ca096655dfba9a6abbee256db956
Instruction Fuzzy Hash: D9F0CDB5204345EBDB211FA4DC8DF963BADEF8AB62F500414FE85CB261CA30DC419A60

Function 009B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1062

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ed6a8ed819899519e57ab96ac0ce4f3ff2880c102a2848ce0859044a5d521234
Instruction ID: 4f6c17e37a9c33467c3adf94fb7e7cf27f3922e5afba0b8d4561c244c3f7f7b4
Opcode Fuzzy Hash: ed6a8ed819899519e57ab96ac0ce4f3ff2880c102a2848ce0859044a5d521234
Instruction Fuzzy Hash: 1CF06DB5214341EBDB216FA4ED99F963BADEF8A761F500414FE85CB250CA70DC419A60

Function 009C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0324
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0331
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C033E
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C034B
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0358
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0365

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8e484e3f16f848a6a721b34c936da22d0934e026b79e2aa63e398d9940b42c48
Instruction ID: 790dc4bf0bd8005f8a3573ea2665a2b0f2c13ea121e77323412af889c195302a
Opcode Fuzzy Hash: 8e484e3f16f848a6a721b34c936da22d0934e026b79e2aa63e398d9940b42c48
Instruction Fuzzy Hash: A201AA72800B95DFCB30AF66D880912FBF9BFA03153158A3FD19652931C3B1A999DF81

Function 0098D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0098D752

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098D764
_free.LIBCMT ref: 0098D776
_free.LIBCMT ref: 0098D788
_free.LIBCMT ref: 0098D79A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ad613903ad94527b8d93ae7ed26ed30960038637a417c4a4faa7caa24a95c78f
Instruction ID: 5e50de6e85756dda308bd60040127384b96b03c9dfc96df96a32a158cac9fcb7
Opcode Fuzzy Hash: ad613903ad94527b8d93ae7ed26ed30960038637a417c4a4faa7caa24a95c78f
Instruction Fuzzy Hash: 01F05B72545204ABC621FBA8FAC5D5677EDBB447207954C05F049D7741C735FC818774

Function 009B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 009B5C6F
MessageBeep.USER32(00000000), ref: 009B5C87
KillTimer.USER32(?,0000040A), ref: 009B5CA3
EndDialog.USER32(?,00000001), ref: 009B5CBD

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6cb15b7895f277e8bb56863cb8791cf20cd06ba3648ec0e637533062f841a4b2
Instruction ID: 9e6128bd5f2a882a1d23eab9fd3e017cec58345bb87d3d6256b1e768e8eba107
Opcode Fuzzy Hash: 6cb15b7895f277e8bb56863cb8791cf20cd06ba3648ec0e637533062f841a4b2
Instruction Fuzzy Hash: 67018170514B44ABEB205B10DE8EFE67BB9BB04B05F010559A5C3A50E1DBF4AD899B90

Function 009822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009822BE

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 009822D0
_free.LIBCMT ref: 009822E3
_free.LIBCMT ref: 009822F4
_free.LIBCMT ref: 00982305

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eac4bc985685cf8b2251fa8d4c00cf46028345aa6f9912c2b9d87ff2c87a8379
Instruction ID: 1a908c25e4506e57d58de6312acd57c138d4a388494c624caf83b8416a77e5cc
Opcode Fuzzy Hash: eac4bc985685cf8b2251fa8d4c00cf46028345aa6f9912c2b9d87ff2c87a8379
Instruction Fuzzy Hash: 89F05E708801208BC632FFDCBE41DA83B68F728760702056AF410D23B2C7361853AFE4

Function 009695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009695D4
StrokeAndFillPath.GDI32(?,?,009A71F7,00000000,?,?,?), ref: 009695F0
SelectObject.GDI32(?,00000000), ref: 00969603
DeleteObject.GDI32 ref: 00969616
StrokePath.GDI32(?), ref: 00969631

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1802959ae11ca2508268c9de0d17e699ae29b6da55bc025872ed64367742fecc
Instruction ID: b4c0741466405faec528d4f6d8ff42a0b1e8041bbc250e1400ae258e9dea3e43
Opcode Fuzzy Hash: 1802959ae11ca2508268c9de0d17e699ae29b6da55bc025872ed64367742fecc
Instruction Fuzzy Hash: B0F0C971019388EBDB269FA9ED58B743B69AB12322F448224F865590F0C7348997EF20

Function 00980F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009810F9
__freea.LIBCMT ref: 00981117

Part of subcall function 00981537: _free.LIBCMT ref: 0098154F

Strings

a/p, xrefs: 009811DE
am/pm, xrefs: 0098117A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: b0e66bc0b99b966db787791e679ed5613ce7a83e278d61bf8064c1f1c473fc12
Instruction ID: 0d7f6a33c136344d748fd6fe6a30e05012c165086366e24322abd075e22e52b0
Opcode Fuzzy Hash: b0e66bc0b99b966db787791e679ed5613ce7a83e278d61bf8064c1f1c473fc12
Instruction Fuzzy Hash: 36D1F331904206CBCB28BF68C849BFEB7BCEF46700F24455AE9169B751D3799D82CB91

Function 009D7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00970242: EnterCriticalSection.KERNEL32(00A2070C,00A21884,?,?,0096198B,00A22518,?,?,?,009512F9,00000000), ref: 0097024D
Part of subcall function 00970242: LeaveCriticalSection.KERNEL32(00A2070C,?,0096198B,00A22518,?,?,?,009512F9,00000000), ref: 0097028A

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009700A3: __onexit.LIBCMT ref: 009700A9

__Init_thread_footer.LIBCMT ref: 009D7BFB

Part of subcall function 009701F8: EnterCriticalSection.KERNEL32(00A2070C,?,?,00968747,00A22514), ref: 00970202
Part of subcall function 009701F8: LeaveCriticalSection.KERNEL32(00A2070C,?,00968747,00A22514), ref: 00970235

Strings

5, xrefs: 009D7C78
G, xrefs: 009D7C7F
Variable must be of type 'Object'., xrefs: 009D7C3A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 817e87b782f8bd68062cdd05105f239730294f8d131cf37bb474eeb396162a67
Instruction ID: 95131477226f81b88daa80e4da4e8a92f51dccf096df7b96e73c3b576be220a6
Opcode Fuzzy Hash: 817e87b782f8bd68062cdd05105f239730294f8d131cf37bb474eeb396162a67
Instruction Fuzzy Hash: C2918C70A44209EFCB14EF94D891AADB7B6BF85300F10C45AF8466B392EB31AE45CB51

Function 009B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009B21D0,?,?,00000034,00000800,?,00000034), ref: 009BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009B2760

Part of subcall function 009BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 009BB3F8

Part of subcall function 009BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 009BB355
Part of subcall function 009BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009B2194,00000034,?,?,00001004,00000000,00000000), ref: 009BB365
Part of subcall function 009BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009B2194,00000034,?,?,00001004,00000000,00000000), ref: 009BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009B281A

Strings

@, xrefs: 009B2832

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 0fef3130b7f6cf2b528625d1e6d0e5ecd0534a497dcbefe919e5de7f315fd19b
Instruction ID: 6d79b91d70858c84c21051acf32d8ba31859e73423fd4f3641f38e1d1d716eda
Opcode Fuzzy Hash: 0fef3130b7f6cf2b528625d1e6d0e5ecd0534a497dcbefe919e5de7f315fd19b
Instruction Fuzzy Hash: F4414B72900218AFDB10DFA4CD85BEEBBB8EF49710F104099FA55B7191DB706E45CBA0

Function 0098172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00981769
_free.LIBCMT ref: 00981834
_free.LIBCMT ref: 0098183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00981760, 00981767, 00981796, 009817CE

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 8efb17bea0fe52246f89eedbafb27657ad412dabe484eea9f5c01bb9795e6418
Instruction ID: 2efeb0fc147fd98cb8c0847ce5de7489eec804ed90176c6d6050db7a4b4e1e90
Opcode Fuzzy Hash: 8efb17bea0fe52246f89eedbafb27657ad412dabe484eea9f5c01bb9795e6418
Instruction Fuzzy Hash: 11315E75A04218EBDB21EB999885EAEBBFCEB95710B1441BAF804D7311D6709E42CB90

Function 009BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 009BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A21990,013D6770), ref: 009BC395

Strings

0, xrefs: 009BC2DF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 85c84cd92944fe683bca21b38d3db65ab25f0773d63ed11de172671b53bf7124
Instruction ID: 68e74bb7b69a1ae3d48d996ff36581bfe17a03cdbfdecfc278985e7b655e2184
Opcode Fuzzy Hash: 85c84cd92944fe683bca21b38d3db65ab25f0773d63ed11de172671b53bf7124
Instruction Fuzzy Hash: DB41B0B12083419FD720DF25D984F9ABBE8AFC5321F048A1EF9A5972D1D770E904CB62

Function 009E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009ECC08,00000000,?,?,?,?), ref: 009E44AA
GetWindowLongW.USER32 ref: 009E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E44D7

Strings

SysTreeView32, xrefs: 009E447C

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 310d2d5c9cf151a36f4168f6432872ef3c0af92d816a2ce1e47ef9ac7a64797a
Instruction ID: 8b27dce08c2dde75113ff6d9a8e4926a4bbae2852031a435003ca1d0bedc2b35
Opcode Fuzzy Hash: 310d2d5c9cf151a36f4168f6432872ef3c0af92d816a2ce1e47ef9ac7a64797a
Instruction Fuzzy Hash: A831CB71210285AFDB228F39DC85BEB7BA9EB48334F204724F979921E0DB70EC519B50

Function 009D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,009D3077,?,?), ref: 009D3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009D307A
_wcslen.LIBCMT ref: 009D309B
htons.WSOCK32(00000000,?,?,00000000), ref: 009D3106

Strings

255.255.255.255, xrefs: 009D3095, 009D309A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 7fa85e68c536b62b376d35a9f94705cb41588eb6c0c2c51b7131c9e4e2dba6c1
Instruction ID: a40f9cf8823beb9699304a99167341b2f2d9c61abd0e2a90eab690ef88574a4b
Opcode Fuzzy Hash: 7fa85e68c536b62b376d35a9f94705cb41588eb6c0c2c51b7131c9e4e2dba6c1
Instruction Fuzzy Hash: 7231F339204202DFCB10CF68C586EAA77E4EF54319F24C05AE9158F392CB32EE45C762

Function 009E3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009E3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009E3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E3F78

Strings

SysMonthCal32, xrefs: 009E3F0B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6f64d2db0019424a12cfe20810a3b420f87e888c79dcd7806bde5523a9a57b1c
Instruction ID: 5fd0de8bc49d6e48b22a1e6ecb75e149ebaa8f3104717975498708250f2e9599
Opcode Fuzzy Hash: 6f64d2db0019424a12cfe20810a3b420f87e888c79dcd7806bde5523a9a57b1c
Instruction Fuzzy Hash: 9321BF32610259BBEF228F91CC86FEA3B79EF88724F114214FE156B1D0D6B1AD51DB90

Function 009E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009E471A

Strings

msctls_updown32, xrefs: 009E4684

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b0d49a3c0ed4ea895692cae10e8fe43d35d10d3967a1214243237dc5d83166b9
Instruction ID: 64e95c324e9f2a5961fb10df55630ab6ff75564a290d46b78d17127857700c39
Opcode Fuzzy Hash: b0d49a3c0ed4ea895692cae10e8fe43d35d10d3967a1214243237dc5d83166b9
Instruction Fuzzy Hash: 222160B5600249AFDB11DF69DCC1DB737ADEB9A7A4B040459FA009B351CB31EC52DBA0

Function 009B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B961D

Strings

#OnAutoItStartRegister, xrefs: 009B95F3
#notrayicon, xrefs: 009B95B7
#requireadmin, xrefs: 009B95D9

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f3762df2bdf481ae21aa3c0f3b9d28bb8421bbdff6baf2740c6091fb736d2967
Instruction ID: 6f124b7b286b63a5095258108178e807f1c670cb67b33dc59b2d81ebda15765e
Opcode Fuzzy Hash: f3762df2bdf481ae21aa3c0f3b9d28bb8421bbdff6baf2740c6091fb736d2967
Instruction Fuzzy Hash: 64213832164210A6C331AA259E16FFBB39C9FD1320F148426FE499B041EB959E45C395

Function 009E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009E3876

Strings

Listbox, xrefs: 009E380F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8ab8a0b19e17be87fe47bd836e157dc61d97deee1748a465768d2da7eec51e93
Instruction ID: 4d0668d20d5932726495416fe93e57b5e6906029a7635813ff15c6f78267eba6
Opcode Fuzzy Hash: 8ab8a0b19e17be87fe47bd836e157dc61d97deee1748a465768d2da7eec51e93
Instruction Fuzzy Hash: 48219272610158BBEF228F66CC85FBB376EEF89754F108124F9449B190C672DC52C7A0

Function 009C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009C4A5C
SetErrorMode.KERNEL32(00000000,?,?,009ECC08), ref: 009C4AD0

Strings

%lu, xrefs: 009C4A6F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 645a747a6c3b3d17c6c0e157284f2c43091f45e4ee407143a36494956ff3443b
Instruction ID: 3bcf730dbbd1fc1bac279501125d31c21d1bb23a8b31cfe6d813c83f315f9072
Opcode Fuzzy Hash: 645a747a6c3b3d17c6c0e157284f2c43091f45e4ee407143a36494956ff3443b
Instruction Fuzzy Hash: C4314C71A00109AFDB10DF64C885EAA7BF8EF49308F1480A9F949DB252D771EE46CB61

Function 009E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009E4271

Strings

msctls_trackbar32, xrefs: 009E4226

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 47d724fbfbfe90752fd5f34a991218bdf09086cec358de59c60fe1e0585a859a
Instruction ID: 5b786809c3fef6584de9428f829578d88314d8e83740b12ffe1df743173d8031
Opcode Fuzzy Hash: 47d724fbfbfe90752fd5f34a991218bdf09086cec358de59c60fe1e0585a859a
Instruction Fuzzy Hash: E5110631240288BEEF219F7ACC46FAB3BACEF99B64F010524FA55E61D0D271DC619B10

Function 009B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Part of subcall function 009B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009B2DC5
Part of subcall function 009B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B2DD6
Part of subcall function 009B2DA7: GetCurrentThreadId.KERNEL32 ref: 009B2DDD
Part of subcall function 009B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009B2DE4

GetFocus.USER32 ref: 009B2F78

Part of subcall function 009B2DEE: GetParent.USER32(00000000), ref: 009B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 009B2FC3
EnumChildWindows.USER32(?,009B303B), ref: 009B2FEB

Strings

%s%d, xrefs: 009B2FFF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a15c8e4ad9d4f4a3210b266bd6a215743c51f3b89c681a01f4642f899649474a
Instruction ID: 62e30b2ea19f6bbd9007937c124eea5c05f6dad134c16db6cc1898c394317489
Opcode Fuzzy Hash: a15c8e4ad9d4f4a3210b266bd6a215743c51f3b89c681a01f4642f899649474a
Instruction Fuzzy Hash: 1511A2B1600209ABCF14BF719DC5FEE376AAFD4314F048075BD09AB192DE74994A9B60

Function 009E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009E58EE
DrawMenuBar.USER32(?), ref: 009E58FD

Strings

0, xrefs: 009E588F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: d695abeabcd183bcff55e30bc8cdfc62228c8844c3dad0d7d4e4a804751a3113
Instruction ID: 996673d718f860dfa2bccf2334d64c7e575d2f87416539d6281abd380dbb71f8
Opcode Fuzzy Hash: d695abeabcd183bcff55e30bc8cdfc62228c8844c3dad0d7d4e4a804751a3113
Instruction Fuzzy Hash: 83016171514258EFDB129F12DC44BEEBBB8FB45364F108099F949DA151DB308E94EF21

Function 009AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 009AD3BF
FreeLibrary.KERNEL32 ref: 009AD3E5

Strings

X64, xrefs: 009AD2A8
GetSystemWow64DirectoryW, xrefs: 009AD3B9

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: ec7e211588638056159d2dc28c523fcec46404fc7047f0e48a8796f7f6a1b063
Instruction ID: 78ce0dd4ddd88b542089959c104bf101e5582fdf2372280170cb0b8b8a605477
Opcode Fuzzy Hash: ec7e211588638056159d2dc28c523fcec46404fc7047f0e48a8796f7f6a1b063
Instruction Fuzzy Hash: F8F0ABB180B721DBDB7242204C68BAD3328BF12B01B548928FC63F6804EF64CC45C2D2

Function 009B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc551adb686aca235789acdb6fbe673d59042f4d06c31401987958dcf3f3ea41
Instruction ID: af5ef26ab741dc70dd6fad570c0c98ad19a3f89323186498bdd54c89955a25cc
Opcode Fuzzy Hash: bc551adb686aca235789acdb6fbe673d59042f4d06c31401987958dcf3f3ea41
Instruction Fuzzy Hash: CCC14C75A0020AEFDB14CFA8C998BAEB7B9FF88714F108598E515EB251D731ED41CB90

Function 00983E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00983F0B
__alldvrm.LIBCMT ref: 0098410C
__alldvrm.LIBCMT ref: 0098412E

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 679c6478969cbf53308d15ba6d1765af1bd58e6edd0ca6a060f6e46b0d2d54ed
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 89A16B72E043879FEB15EF18C8917AEBBE9EF61350F14416DE5859B382C6388D41C790

Function 009D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009D3459
CoUninitialize.OLE32 ref: 009D3463
VariantInit.OLEAUT32(?), ref: 009D346E
VariantClear.OLEAUT32(?), ref: 009D371B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 4f1e7d204c1073e46274004be03e18d4304d061107f20c6fafc8b8b80aa332ac
Instruction ID: 5656f8d5f5045ab6847fd0f4673e033ea277eeeb56f0105ee7e40ad125317859
Opcode Fuzzy Hash: 4f1e7d204c1073e46274004be03e18d4304d061107f20c6fafc8b8b80aa332ac
Instruction Fuzzy Hash: 4AA138756043009FC700DF69D585A2AB7E9FF88715F04C85AF98A9B362DB30EE05CB92

Function 009B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009EFC08,?), ref: 009B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009EFC08,?), ref: 009B0608
CLSIDFromProgID.OLE32(?,?,00000000,009ECC40,000000FF,?,00000000,00000800,00000000,?,009EFC08,?), ref: 009B062D
_memcmp.LIBVCRUNTIME ref: 009B064E

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 78ec15ba2b40c20296a528e6f7da5d1134e60e25010b84971594a2ae58920e80
Instruction ID: 6adb178842a48f3974155fa2a4a52942e66d96f1c9f90d0db12e52c8a87c3b4a
Opcode Fuzzy Hash: 78ec15ba2b40c20296a528e6f7da5d1134e60e25010b84971594a2ae58920e80
Instruction Fuzzy Hash: C081FA75A00209EFCB14DF98C984EEEB7B9FF89315F204558F516AB250DB71AE06CB60

Function 009DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 009DA6BA

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Process32NextW.KERNEL32(00000000,?), ref: 009DA79C
CloseHandle.KERNEL32(00000000), ref: 009DA7AB

Part of subcall function 0096CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00993303,?), ref: 0096CE8A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: fe44a073038dcbd469c8aac8a62ef04a6c5ff42c1c3a5457455b476d424c0d60
Instruction ID: 86181047e52b05461b1843d766b8d598b9d4af24e85bc6cfc3ec82cf3b963711
Opcode Fuzzy Hash: fe44a073038dcbd469c8aac8a62ef04a6c5ff42c1c3a5457455b476d424c0d60
Instruction Fuzzy Hash: 8B5150B15083009FD710EF25D886A6BBBE8FFC9754F40891DF98597262EB30D908CB92

Function 00991391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009914C0

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 416c63e2b1c7d325d31a3a903909655b308c69093ae7ad0c2e15c52e0c1c0413
Instruction ID: 24fdadc6c2e2b11671a337d6c6bf2d8607568531c3f4d49255c05178360ef364
Opcode Fuzzy Hash: 416c63e2b1c7d325d31a3a903909655b308c69093ae7ad0c2e15c52e0c1c0413
Instruction Fuzzy Hash: 5B412D36600112ABDF257BFD8C467BE3BA8FF89370F254625F429D72A2E63488415762

Function 009E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009E62E2
ScreenToClient.USER32(?,?), ref: 009E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 009E6382

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: a2bd18f7009debf11bd8822e429614760f7dee8a88321e6ded191a7e22889553
Instruction ID: 0edcd59c37f5b2add2c1b73d16392d71bd5ade2fbbb689dbec7b22b97d6b949a
Opcode Fuzzy Hash: a2bd18f7009debf11bd8822e429614760f7dee8a88321e6ded191a7e22889553
Instruction Fuzzy Hash: A1512F74900245EFDF11DF59D880AAE7BB6FF553A0F108169F9559B290D730ED81CB50

Function 009D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009D1AFD
WSAGetLastError.WSOCK32 ref: 009D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009D1B8A
WSAGetLastError.WSOCK32 ref: 009D1B94

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 73a8661bc412a0ea3fcfe9e815f5c683affd5d7cbef89d0c493088e46286fe91
Instruction ID: d352efad11f6b703189c3d5d985310a6ac4c2be801a8d0a4fac34035d3840253
Opcode Fuzzy Hash: 73a8661bc412a0ea3fcfe9e815f5c683affd5d7cbef89d0c493088e46286fe91
Instruction Fuzzy Hash: 4841CF75640200AFE720EF24C886F2A77E5AB84718F54C449F95A9F3D2E776ED42CB90

Function 0098B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e16678be49367514da3407087947429be35fffbe8577f3efd090b9ef06303f1
Instruction ID: 07fb62ebc7391f60254556229ab5e00cf0b7b38aaa35c5f696af1cf93e0dce71
Opcode Fuzzy Hash: 9e16678be49367514da3407087947429be35fffbe8577f3efd090b9ef06303f1
Instruction Fuzzy Hash: EB412976A00304BFD724AF78CC42B6ABBE9EBC4710F14852AF556DB7A2D371A9018790

Function 009C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009C5783
GetLastError.KERNEL32(?,00000000), ref: 009C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009C57FA

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e3c3bbb2bb074baef249cbf2488afc1ba9e16e7f13e1a9eff30cbbe68508fe30
Instruction ID: e5496e5d68948a6af2c95dade075e08e793c616a31b28babf020d9982acd15b7
Opcode Fuzzy Hash: e3c3bbb2bb074baef249cbf2488afc1ba9e16e7f13e1a9eff30cbbe68508fe30
Instruction Fuzzy Hash: 18412B39600610DFCB11DF55C584B5EBBE6AF89321B198488FC4AAB362DB34FD45CB91

Function 0098D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00976D71,00000000,00000000,009782D9,?,009782D9,?,00000001,00976D71,8BE85006,00000001,009782D9,009782D9), ref: 0098D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0098D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0098D9AB
__freea.LIBCMT ref: 0098D9B4

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: aa7ef2de713fdb24d76bbd12bf21112b61bde5fd322002b6ec9cdfb43721d776
Instruction ID: 500c1ff10616861bfc904e4ba0b8340ddbb4c7833f8c364fc82ef3b59d704aa5
Opcode Fuzzy Hash: aa7ef2de713fdb24d76bbd12bf21112b61bde5fd322002b6ec9cdfb43721d776
Instruction Fuzzy Hash: EA31C372A0221AABDF25EF65DC45EAE7BA9EB40710F054168FC09D7290E736CD51CB90

Function 009E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 009E5352
GetWindowLongW.USER32(?,000000F0), ref: 009E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009E53A8

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: cff36b7e4c482a9c9a99a9eb2d52b051fa4e725fefc0a6f02178dedef662352b
Instruction ID: 68fa779114657850a6ee58411913c16aa4626e8f8a24e9a996fbefed1d77ab13
Opcode Fuzzy Hash: cff36b7e4c482a9c9a99a9eb2d52b051fa4e725fefc0a6f02178dedef662352b
Instruction Fuzzy Hash: F8315834A55A88FFEF329F56CC45FE8376AAB043D4F592001FA00861E1C3B49D80EB41

Function 009BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 009BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 009BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 009BAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 009BACC6

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a125e619bb28092effc6440b0224e0533f5fa3db030132256594758cef8a6599
Instruction ID: 175e382377ba6554378b3f627629b85e582aeb91821ec69b160e910496dbe088
Opcode Fuzzy Hash: a125e619bb28092effc6440b0224e0533f5fa3db030132256594758cef8a6599
Instruction Fuzzy Hash: CD314630A14318AFEF35CB658D097FE7FA9AB89330F04461AE4C0961D1C3788D8197A2

Function 009E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009E769A
GetWindowRect.USER32(?,?), ref: 009E7710
PtInRect.USER32(?,?,009E8B89), ref: 009E7720
MessageBeep.USER32(00000000), ref: 009E778C

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2b034ebcc283df1b13cfcdf38d1ef74e6c62b5631b3d919774480c62652ddf21
Instruction ID: ab0640240fb78337784817bc96dd1fa4561006c3301235045c295b9e91503c2c
Opcode Fuzzy Hash: 2b034ebcc283df1b13cfcdf38d1ef74e6c62b5631b3d919774480c62652ddf21
Instruction Fuzzy Hash: A141AD34609295EFDB12CFDAC894EA9B7F4FB49704F1540A8E8549B261C732ED82CF91

Function 009E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009E16EB

Part of subcall function 009B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B3A57
Part of subcall function 009B3A3D: GetCurrentThreadId.KERNEL32 ref: 009B3A5E
Part of subcall function 009B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009B25B3), ref: 009B3A65

GetCaretPos.USER32(?), ref: 009E16FF
ClientToScreen.USER32(00000000,?), ref: 009E174C
GetForegroundWindow.USER32 ref: 009E1752

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 308ec9ac547a5cb99d932f32ff297e8ad7367fa76ccc6e4ab6e2f12be3bc8c40
Instruction ID: 0adf03e11cc49219f9f12e898685bf4f8f9e81c059e5b9605f7909e12df7d980
Opcode Fuzzy Hash: 308ec9ac547a5cb99d932f32ff297e8ad7367fa76ccc6e4ab6e2f12be3bc8c40
Instruction Fuzzy Hash: BB3121B5D00249AFC704EFAAC881DEEB7FDEF88304B548069E855E7251D7319E45CBA0

Function 009BDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

_wcslen.LIBCMT ref: 009BDFCB
_wcslen.LIBCMT ref: 009BDFE2
_wcslen.LIBCMT ref: 009BE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 009BE018

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: d2c2720b83ff4f4e10f442e9278fc24cdab7c0760d7367f0f0ac747d720a6942
Instruction ID: 1c75389a9a871ac6fc56654af1feb781aef292e87c010b381c35bdc2882e6347
Opcode Fuzzy Hash: d2c2720b83ff4f4e10f442e9278fc24cdab7c0760d7367f0f0ac747d720a6942
Instruction Fuzzy Hash: 34218372901214EFCB11EFA8D981BBEB7F8EF85760F144065E905BB246D7709E41CBA1

Function 009E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

GetCursorPos.USER32(?), ref: 009E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009A7711,?,?,?,?,?), ref: 009E9016
GetCursorPos.USER32(?), ref: 009E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009A7711,?,?,?), ref: 009E9094

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5c0adf1e4723ea2590b1b889e9373031e260d6eb07b6bb0c6b5c6f35679f09e7
Instruction ID: 1317cc3ad8a1e68ed36a4777c47974a7cee0bbfeca6c39669bfb55585ec7e2db
Opcode Fuzzy Hash: 5c0adf1e4723ea2590b1b889e9373031e260d6eb07b6bb0c6b5c6f35679f09e7
Instruction Fuzzy Hash: 6621F371201058FFCB268F99CC98EFA3BB9EF8A311F400065F5054B161C7319E91EB60

Function 009BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009ECB68), ref: 009BD2FB
GetLastError.KERNEL32 ref: 009BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 009BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009ECB68), ref: 009BD376

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 65c2090b3b35298021f964443adda5d60a0bd1774e93b5f9a19d5420b9ac7195
Instruction ID: 3065948d63a1f968c8e001ca6c418c46f91c3f24da3024959b01ea7e24c914ed
Opcode Fuzzy Hash: 65c2090b3b35298021f964443adda5d60a0bd1774e93b5f9a19d5420b9ac7195
Instruction Fuzzy Hash: 1421A670509301DF8300DF25C9855AA77E8EF9A368F104A1DF8A5C72A2E731DD4ACB93

Function 009B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B102A
Part of subcall function 009B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B1036
Part of subcall function 009B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1045
Part of subcall function 009B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B104C
Part of subcall function 009B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009B15BE
_memcmp.LIBVCRUNTIME ref: 009B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B1617
HeapFree.KERNEL32(00000000), ref: 009B161E

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bf7896f9f5a33a5f12473878177be307e8a4fd673d2f2b33967f2676fbb2fdc8
Instruction ID: 7875d03e8d86aa21aa1c49ee1c8b3ea723e42010619c6ee6b4d0f0b4ab70b134
Opcode Fuzzy Hash: bf7896f9f5a33a5f12473878177be307e8a4fd673d2f2b33967f2676fbb2fdc8
Instruction Fuzzy Hash: 0F21AF72E00109EFDF14DFA4CA55BEEB7B8EF84364F484459E441AB241E770AE05DBA0

Function 009E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 009E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009E2840

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c79b15934167b9c951e6d9976d5d5e1d1286c1174b6b5bc01195534dc8087635
Instruction ID: 20ef5f118a336831730a26dc813cecbf9154f8fba5bb7652f38fe1a9159ccd61
Opcode Fuzzy Hash: c79b15934167b9c951e6d9976d5d5e1d1286c1174b6b5bc01195534dc8087635
Instruction Fuzzy Hash: 4321B631208691AFD715DB25CC45F6A779DAF85324F148158F8168F6D2CB75FC42C790

Function 009B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,009B790A,?,000000FF,?,009B8754,00000000,?,0000001C,?,?), ref: 009B8D8C
Part of subcall function 009B8D7D: lstrcpyW.KERNEL32(00000000,?,?,009B790A,?,000000FF,?,009B8754,00000000,?,0000001C,?,?,00000000), ref: 009B8DB2
Part of subcall function 009B8D7D: lstrcmpiW.KERNEL32(00000000,?,009B790A,?,000000FF,?,009B8754,00000000,?,0000001C,?,?), ref: 009B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,009B8754,00000000,?,0000001C,?,?,00000000), ref: 009B7923
lstrcpyW.KERNEL32(00000000,?,?,009B8754,00000000,?,0000001C,?,?,00000000), ref: 009B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,009B8754,00000000,?,0000001C,?,?,00000000), ref: 009B7984

Strings

cdecl, xrefs: 009B797B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9c4659cef9837df1f0afe983e492c37a6fe964b0bfff322b935ed3e83fd7c253
Instruction ID: b4e748109d33401fc769985e7d477a89441f9315cff2113a4ba5bed0037ec5fc
Opcode Fuzzy Hash: 9c4659cef9837df1f0afe983e492c37a6fe964b0bfff322b935ed3e83fd7c253
Instruction Fuzzy Hash: 4711063A204241AFCB159F74D844EBBB7A9FFC93A0B00412AF842CB2A4EB319811D751

Function 009E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 009E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 009E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009CB7AD,00000000), ref: 009E7D6B

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 462512d622bf74445e9492a17abed65ccc25bc456bdc9fccc2fda90c6080a206
Instruction ID: eb6a326284119240334d7b88a5720266ec84828c0b6ef093955cb76102f65faf
Opcode Fuzzy Hash: 462512d622bf74445e9492a17abed65ccc25bc456bdc9fccc2fda90c6080a206
Instruction Fuzzy Hash: 4211E431118695AFCB118FA9CC44A767BA9FF45360B154724F835CB2F0D7308D92DB50

Function 009E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009E56BB
_wcslen.LIBCMT ref: 009E56CD
_wcslen.LIBCMT ref: 009E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E5816

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b7df3c270d1e67ba6200d13793b33911bb7fb0cab76deff3a86cd6679461116e
Instruction ID: 859f08266e0b36a5b16e3f681590cb47a81bd32e3beada8b8b518f11799e45c1
Opcode Fuzzy Hash: b7df3c270d1e67ba6200d13793b33911bb7fb0cab76deff3a86cd6679461116e
Instruction Fuzzy Hash: 7D11E47160068996DF219F678C81AEE776CEF10B68F504426F905D6082E7748D80CB60

Function 00981D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc845da09b640f9cd5afb7f65808ebec0681c3fbe9094e1d6956f0bf1c08fdf7
Instruction ID: 3b8eca33397a358b8b677ff3c8c2cf42143ac9dac5b405a56d88dc47ec9ca0d7
Opcode Fuzzy Hash: bc845da09b640f9cd5afb7f65808ebec0681c3fbe9094e1d6956f0bf1c08fdf7
Instruction Fuzzy Hash: D601ADB220A6167FF6213AB86CC0F67671CDF813B8B310B25F522A13D2DB658C025360

Function 009B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B1A8A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b6713eeb6464d70557613978a444e534d49baeb0d1d49d09006d44ea3592767f
Instruction ID: fef3abc0589885f16f2a78da6ce62a1bb46af01f93be3bd69665fe5461a454b9
Opcode Fuzzy Hash: b6713eeb6464d70557613978a444e534d49baeb0d1d49d09006d44ea3592767f
Instruction Fuzzy Hash: 0411273A901219FFEF109BA4C985FEDBB78EB08760F200091EA00B7290D6716E50DB94

Function 009BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 009BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009BE24D

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 99fa637d3e6a75c7e29f69ed11dfdbf6f8883297c90b339bd5f85921118bc2a2
Instruction ID: 7e5829397670177df2a448c0a0ee0352cef103bec2977a113cb51a6e3516efdb
Opcode Fuzzy Hash: 99fa637d3e6a75c7e29f69ed11dfdbf6f8883297c90b339bd5f85921118bc2a2
Instruction Fuzzy Hash: 1A116BB2D08244BFC710DFEC9D45AEE3FAD9B41320F004225F824E7280D270CD0287A0

Function 0097D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0097CFF9,00000000,00000004,00000000), ref: 0097D218
GetLastError.KERNEL32 ref: 0097D224
__dosmaperr.LIBCMT ref: 0097D22B
ResumeThread.KERNEL32(00000000), ref: 0097D249

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b58ce85d7ddbdd98582ab0d09ad46b9b15b6d6f7e7fb233e038ec5770c922d3e
Instruction ID: 9bbf43acd3d4a86107b64c9a481f5509f82ef0305fbde0d892eec4e5e0d71058
Opcode Fuzzy Hash: b58ce85d7ddbdd98582ab0d09ad46b9b15b6d6f7e7fb233e038ec5770c922d3e
Instruction Fuzzy Hash: 7601D27790A204BBCB116BA5DC09BAA7A7DEFC1731F208219F939961D1CB71CD02D7A0

Function 009E9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

GetClientRect.USER32(?,?), ref: 009E9F31
GetCursorPos.USER32(?), ref: 009E9F3B
ScreenToClient.USER32(?,?), ref: 009E9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 009E9F7A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1657ebe0026830847909ed56abccdf881279dc0bc9a81f315836a30b880eb219
Instruction ID: 9b48aad8761842b471fbfd5715063aae95dbcd873b8c11f21025ef8290f30ac4
Opcode Fuzzy Hash: 1657ebe0026830847909ed56abccdf881279dc0bc9a81f315836a30b880eb219
Instruction Fuzzy Hash: 2911367290029AABDB11DFAAD8859EE77B9FB45311F000851F911E7141D730BE82DBA1

Function 0095600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0095604C
GetStockObject.GDI32(00000011), ref: 00956060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0095606A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 99e60edbbbf0e5401011627a41601dbcbf599b5e53fdf3df431482e52d3b534c
Instruction ID: 729aedddb413b54829ed949734d4af35b291e59fca8093b782cb665b4a16fa46
Opcode Fuzzy Hash: 99e60edbbbf0e5401011627a41601dbcbf599b5e53fdf3df431482e52d3b534c
Instruction Fuzzy Hash: 3811A1B2101548BFEF128FA6CC44EEA7B6DEF08365F400211FE0456050C7329C61EB90

Function 00973B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00973B56

Part of subcall function 00973AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00973AD2
Part of subcall function 00973AA3: ___AdjustPointer.LIBCMT ref: 00973AED

_UnwindNestedFrames.LIBCMT ref: 00973B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00973B7C
CallCatchBlock.LIBVCRUNTIME ref: 00973BA4

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 628491044ba610e2109a32c5668b4cab715f85cb34c36e5311158e2ee721218a
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: B601D733100149BBDF125E95CC46EEB7B6DEF98754F04C018FE5C66122D732E961ABA1

Function 00983073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009513C6,00000000,00000000,?,0098301A,009513C6,00000000,00000000,00000000,?,0098328B,00000006,FlsSetValue), ref: 009830A5
GetLastError.KERNEL32(?,0098301A,009513C6,00000000,00000000,00000000,?,0098328B,00000006,FlsSetValue,009F2290,FlsSetValue,00000000,00000364,?,00982E46), ref: 009830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0098301A,009513C6,00000000,00000000,00000000,?,0098328B,00000006,FlsSetValue,009F2290,FlsSetValue,00000000), ref: 009830BF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 2b77088dad0442aeaaa8a5553778bb2c69af27be63378fb8b405800eac5988f7
Instruction ID: beed1331ad1451e0c9708c8820fb9d9e36e157a20195bee243b4f74449cb5d85
Opcode Fuzzy Hash: 2b77088dad0442aeaaa8a5553778bb2c69af27be63378fb8b405800eac5988f7
Instruction Fuzzy Hash: D001D472325222ABCB315EB99C849677B9CAF05F61B108620F955E7340C721DD02D7E0

Function 009B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 009B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009B74CA

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 1b46bd3e7cc335ca6f2681cc09afe734e9509c68e805c34862dfb8421607517d
Instruction ID: 5f5f31bf64f8835baccddbf2ffa86a56383d8b9dcafa09ccabb0a3d38bea5422
Opcode Fuzzy Hash: 1b46bd3e7cc335ca6f2681cc09afe734e9509c68e805c34862dfb8421607517d
Instruction Fuzzy Hash: D411C4B12093149FE7208F94DE48FD2BFFEEB40B11F108A69A656DA1A1E774E904DB50

Function 009BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB126

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c463cb951f6932d12ea673face7fa61f208aaaf6a0808f9f0814c491d20a95c6
Instruction ID: 72310e46f65b998c7bbbe42c78c70eea434033d2e89218204138c38aabc0ebf6
Opcode Fuzzy Hash: c463cb951f6932d12ea673face7fa61f208aaaf6a0808f9f0814c491d20a95c6
Instruction Fuzzy Hash: 5D11A171C0851CEBCF00AFE8DA986FEBB78FF0A320F004085D981B2185CBB449518B51

Function 009E7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009E7E33
ScreenToClient.USER32(?,?), ref: 009E7E4B
ScreenToClient.USER32(?,?), ref: 009E7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 009E7E8A

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 9b0c1da91ff89c95c1bd7cd0c7b93a3c2bc4205d02e5cde76fd4406a66279003
Instruction ID: 517370d686609eac5374836cd0a61525770eb7fa6aff344e3360cd156b57d2bb
Opcode Fuzzy Hash: 9b0c1da91ff89c95c1bd7cd0c7b93a3c2bc4205d02e5cde76fd4406a66279003
Instruction Fuzzy Hash: A31183B9D0424AAFDB41CF98D884AEEBBF9FF08310F108066E951E3210D735AA55DF90

Function 009B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 009B2DD6
GetCurrentThreadId.KERNEL32 ref: 009B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009B2DE4

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c1b043ba50cf3699f6bc6b63058fd008e1a704be706f1cdb44322fba246ccf37
Instruction ID: a32288f3f73f8be49c9d164bf7ed2b1ed35d152371610bbdb2b6edc29e31917b
Opcode Fuzzy Hash: c1b043ba50cf3699f6bc6b63058fd008e1a704be706f1cdb44322fba246ccf37
Instruction Fuzzy Hash: 37E092B2119224BBDB201B729C4DFEB3E6CEF82FB1F000019F105D90809AA4CC42D6B0

Function 009E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00969639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00969693
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696A2
Part of subcall function 00969639: BeginPath.GDI32(?), ref: 009696B9
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 009E8887
LineTo.GDI32(?,?,?), ref: 009E8894
EndPath.GDI32(?), ref: 009E88A4
StrokePath.GDI32(?), ref: 009E88B2

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9a37f1797846867a79a53f2e0720495df0963e74b16527a67cc7111bece9b993
Instruction ID: c8b1a22bb67a95863fe23860e5d426bbcc0c2393417865f1edcfd7313b45dc83
Opcode Fuzzy Hash: 9a37f1797846867a79a53f2e0720495df0963e74b16527a67cc7111bece9b993
Instruction Fuzzy Hash: 4CF03A36049298BADF125F94AC09FDA3A59AF16311F448000FE61690E1C7755952DBA5

Function 009698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009698CC
SetTextColor.GDI32(?,?), ref: 009698D6
SetBkMode.GDI32(?,00000001), ref: 009698E9
GetStockObject.GDI32(00000005), ref: 009698F1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 79fd30c163d0d0db158808593625751d58bc8a129c90e9a0494e6a6f5e7c235f
Instruction ID: cb09dfde34c2166224d19f8c2e7e3c54e9dbbc423fc614752b70127dc86ce403
Opcode Fuzzy Hash: 79fd30c163d0d0db158808593625751d58bc8a129c90e9a0494e6a6f5e7c235f
Instruction Fuzzy Hash: 1AE06D7125C680AADB215B78EC49BE87F65EB16376F048219F6FA580E1C7714A41AB10

Function 009B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 009B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009B11D9), ref: 009B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009B11D9), ref: 009B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009B11D9), ref: 009B164F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0e66ebd6adc5f1afdc73d30036a2f39d23390a604b0906018358e16400996383
Instruction ID: 888fc0a431934746e7c2cd27899411c1a7684f191595ec9ed793b969a6f84ede
Opcode Fuzzy Hash: 0e66ebd6adc5f1afdc73d30036a2f39d23390a604b0906018358e16400996383
Instruction Fuzzy Hash: 47E08CB2616211EBDB201FA4AE4DB8A3B7CAF447A2F148808F685DD080E7348842DB60

Function 009AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009AD858
GetDC.USER32(00000000), ref: 009AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009AD882
ReleaseDC.USER32(?), ref: 009AD8A3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: dec94fbccb04e71d99dd32e1fa1440f43f300be9fafbda4a8ecce92e09464c58
Instruction ID: ed1fefb60134a25c48cadb01a3fd17bb86862546543d2d7f82ee7157cf9f1c6c
Opcode Fuzzy Hash: dec94fbccb04e71d99dd32e1fa1440f43f300be9fafbda4a8ecce92e09464c58
Instruction Fuzzy Hash: 12E01AF4815205DFCF419FA4D84C66EBBB1FB48711F108409E896EB250C7389902AF40

Function 009AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009AD86C
GetDC.USER32(00000000), ref: 009AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009AD882
ReleaseDC.USER32(?), ref: 009AD8A3

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e60c0b2febff07dc6f22dec4bfb179783c0fcb277592e1135cbc862cd5e934a2
Instruction ID: 8e215421930741161f269299c5f172ec7fd0d9343ed2274da260a44e0bd42530
Opcode Fuzzy Hash: e60c0b2febff07dc6f22dec4bfb179783c0fcb277592e1135cbc862cd5e934a2
Instruction Fuzzy Hash: 74E01AB4C14205DFCF409FA4D84C66EBBB1BB48711B108408E896EB250C7385902AF40

Function 009C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 009C4ED4

Strings

LPT, xrefs: 009C4DFB
*, xrefs: 009C4E10

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 377d76527a1441c1992e0a48e6d2b6f471307c16542617142d9fad0b3ae25518
Instruction ID: c5e9457bb2ac92d57ce637863435efe6777811501b6b2a0212466f1151f10112
Opcode Fuzzy Hash: 377d76527a1441c1992e0a48e6d2b6f471307c16542617142d9fad0b3ae25518
Instruction Fuzzy Hash: DB913D75A002049FDB14DF58C494FAABBF5AF48304F19809DE84A9F362D735EE85CB91

Function 0097E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0097E30D

Strings

pow, xrefs: 0097E2E5, 0097E302

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 511e5da17abb6aa975ebae37b8fa448bec536e4ac031ca56c916982ba1bede1d
Instruction ID: a3aab641ff4c49d9db7a3806f1c54d7aa201b637a2cdb74570ae2fbb3602da7e
Opcode Fuzzy Hash: 511e5da17abb6aa975ebae37b8fa448bec536e4ac031ca56c916982ba1bede1d
Instruction Fuzzy Hash: 30512A62A1C20296CB157754C941379BBACAB54740F34CDE8E0DA833FAEB35CC95DB86

Function 0096E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0096E1B1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: b5ef3e1323eb863ae8a1844a3bf6074321e162939c91b71634323498f9d2f6fe
Instruction ID: 2ff0abde3afc2b615845114ff751a05405c587f33d49f59f36879b1a68f0b613
Opcode Fuzzy Hash: b5ef3e1323eb863ae8a1844a3bf6074321e162939c91b71634323498f9d2f6fe
Instruction Fuzzy Hash: 86515579904246DFDB19DF28C491AFA7BA9EF56310F248059FCA19B2C0DB349D46CBA0

Function 0096F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0096F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0096F2BB

Strings

@, xrefs: 0096F2AF

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cb69eb1693816464186a79678c03873cf1737121f230b71c6001ce427fe586e2
Instruction ID: f56ffa19c20d7afa711a7329b24376494fe11304e2c3e9e9da83ed23fa23a2cb
Opcode Fuzzy Hash: cb69eb1693816464186a79678c03873cf1737121f230b71c6001ce427fe586e2
Instruction Fuzzy Hash: E65115714187489BD320EF51EC86BAFBBE8FBC4301F81885DF5D941195EB70852ACB66

Function 009D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009D57E0
_wcslen.LIBCMT ref: 009D57EC

Strings

CALLARGARRAY, xrefs: 009D57E6, 009D57EB

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 0e3da4c013e8cdd24ce9e5a90e1db13bbbaddf34a05927187d847510ab1a58b2
Instruction ID: fd5c88a0414099d9d847cc6d5ee6f8e297df7a60d2b182f8d0d2d774131c90a5
Opcode Fuzzy Hash: 0e3da4c013e8cdd24ce9e5a90e1db13bbbaddf34a05927187d847510ab1a58b2
Instruction Fuzzy Hash: C141A175A002059FCB14DFA9C8819BEBBF9FF99324F11806AE505A7361E7349D81DB90

Function 009CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009CD13A

Strings

|, xrefs: 009CD10B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 12d487df83895102dd1e612601be7724313d6087453ffc2a3adcc457e16aca55
Instruction ID: b9f073067f9d38dbc7587f5fd60aaf6a387005c2c90b9d6a25ca6e5a9c9d3646
Opcode Fuzzy Hash: 12d487df83895102dd1e612601be7724313d6087453ffc2a3adcc457e16aca55
Instruction Fuzzy Hash: 4A311771D01209ABCF15EFA5CC85AEEBBB9FF45300F000029F819A6162D631AA1ACB61

Function 009E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009E365C

Strings

static, xrefs: 009E35BC

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3842f3c6c557d8205a1f970d4a3bfaec97fb0fc860ade3a79887c393478f87bc
Instruction ID: 6553cebd5f491692843c0cea567b3accbf8a09e74c562f899a92f1ae9bc57f0c
Opcode Fuzzy Hash: 3842f3c6c557d8205a1f970d4a3bfaec97fb0fc860ade3a79887c393478f87bc
Instruction Fuzzy Hash: D4318D71110244AEDB11DF79DC85FBB73ADFF88724F009619F8A997280DA31AD82D760

Function 009E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 009E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E4634

Strings

', xrefs: 009E458E

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4fa127f617cc4e3ebdeaeceb5bbfb95d893e27a297613d2a91009268bd5c86dc
Instruction ID: ac86afea76b563b56ec61952cbf7187fb10af415bc867367c9f85695afdfa74b
Opcode Fuzzy Hash: 4fa127f617cc4e3ebdeaeceb5bbfb95d893e27a297613d2a91009268bd5c86dc
Instruction Fuzzy Hash: C9312874A003499FDB15CFAAC980BEA7BB9FF49700F104069E904AB341D770AD41CF90

Function 009E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E3287

Strings

Combobox, xrefs: 009E3249

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8ab31dbb5db83fc9116765c9676653116c37f58654172cab9b157ac6dbc2b9f7
Instruction ID: 395077bdf2c58fd8a6ca6a2393b468a3a7ad6a02a6215a0c65eaefd5c54c7c04
Opcode Fuzzy Hash: 8ab31dbb5db83fc9116765c9676653116c37f58654172cab9b157ac6dbc2b9f7
Instruction Fuzzy Hash: D311B2713002497FEF229F95DC88EBB37AEEB98364F108524FA6897390D6319D519760

Function 009E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0095600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0095604C
Part of subcall function 0095600E: GetStockObject.GDI32(00000011), ref: 00956060
Part of subcall function 0095600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0095606A

GetWindowRect.USER32(00000000,?), ref: 009E377A
GetSysColor.USER32(00000012), ref: 009E3794

Strings

static, xrefs: 009E3757

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 45ad2474063410ac07bdce558ff659237e0832aece66c0c0e73f0e1f11595621
Instruction ID: 611044b9abed5fc13a649fc36ca3e5ec8625ea99189901aaabdf9d9127fd3855
Opcode Fuzzy Hash: 45ad2474063410ac07bdce558ff659237e0832aece66c0c0e73f0e1f11595621
Instruction Fuzzy Hash: C81129B2610249AFDF11DFA9CC49AEA7BB9FB08314F004924F955E3250D735ED51DB50

Function 009CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009CCDA6

Strings

<local>, xrefs: 009CCD66

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6cfb259dab83323c467257f45ab5c2f78b70d0fcc05d9eb028dd39770cacdd16
Instruction ID: b18b405aff7934573a57e54ab135003cf8dad2ec58417e5079babf451c367d5e
Opcode Fuzzy Hash: 6cfb259dab83323c467257f45ab5c2f78b70d0fcc05d9eb028dd39770cacdd16
Instruction Fuzzy Hash: 3011E3F1A15632BAD7244A668C84FE3BEACEB127A4F00462AF10E820C0D2749941D6F1

Function 009E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009E34BA

Strings

edit, xrefs: 009E348F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1dec3a445bf3c5e1fa97be21cd9a7701d426984e5dfdc5192a06e48b0b66c302
Instruction ID: 553ccc1a9e61df189ac64102f4e1430fb67896f915efc5253872f41be525672a
Opcode Fuzzy Hash: 1dec3a445bf3c5e1fa97be21cd9a7701d426984e5dfdc5192a06e48b0b66c302
Instruction Fuzzy Hash: 2411BF71100188ABEB138F66DC88ABB376EEB45378F508724F960971E0D731DD529B50

Function 009B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

CharUpperBuffW.USER32(?,?,?), ref: 009B6CB6
_wcslen.LIBCMT ref: 009B6CC2

Strings

STOP, xrefs: 009B6CBC, 009B6CC1

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 60506f4924f3bd42850287b932cceeef4838061ccea00a9a77028d0423372297
Instruction ID: 4471ca93947b4dcaaa0632415b5cd0474e99daccae72971d9400b77e2d230ec3
Opcode Fuzzy Hash: 60506f4924f3bd42850287b932cceeef4838061ccea00a9a77028d0423372297
Instruction Fuzzy Hash: EA012632A005278BCB209FBDCD919FF37B9EBA0B207000924E99297191EB39FC04C750

Function 009B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009B1D4C

Strings

ComboBox, xrefs: 009B1CEB
ListBox, xrefs: 009B1D16

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f6bb75c860dd917b073eba4d4cd7d55d3c420b290a3fc3e11da867bf5144df72
Instruction ID: c113419485ee70e72a3acd9c34a9d84da434dd2b9488f679d6d4d2cbb825378d
Opcode Fuzzy Hash: f6bb75c860dd917b073eba4d4cd7d55d3c420b290a3fc3e11da867bf5144df72
Instruction Fuzzy Hash: 54012875604218EB9B08EBA0CE61DFE77A8FBC2360B500D09FC62572C1EA30590C8760

Function 009B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 009B1C46

Strings

ComboBox, xrefs: 009B1BE5
ListBox, xrefs: 009B1C10

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d0458d60733c3153ec0db6b08e6aa6ffefbb495129a3bb4e767fcbe224089dde
Instruction ID: 965dbdd2279302c1216c1afa7e1d1cedabb2c868c0e0149f351d0fb054014a80
Opcode Fuzzy Hash: d0458d60733c3153ec0db6b08e6aa6ffefbb495129a3bb4e767fcbe224089dde
Instruction Fuzzy Hash: C201AC75A45108A6DB04E7A0CB63AFF7BAC9B51350F540415AD8667182EA249E0C8771

Function 009B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 009B1CC8

Strings

ComboBox, xrefs: 009B1C69
ListBox, xrefs: 009B1C94

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1d8d3791a1007972347087a514da8300177e58203b52952788f66b0452ad8e34
Instruction ID: 5552ee386638ae87b25d163c04dc154f8de8fbee685272faa0df7e8e0107c633
Opcode Fuzzy Hash: 1d8d3791a1007972347087a514da8300177e58203b52952788f66b0452ad8e34
Instruction Fuzzy Hash: 1D01D6B5A80118A7DB04EBA5CB11BFF7BACAB51350FA40415BC8673282EA209F0CC771

Function 009B1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 009B1DD3

Strings

ComboBox, xrefs: 009B1D75
ListBox, xrefs: 009B1DA0

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bd894c16b925bf47383670132f57ab59696ebb029a5c6ef06e915c12a1590ec6
Instruction ID: 7feb29f342c1f9d8f26d4522835769704eb676f3a8310d2940ea3785837e0cc8
Opcode Fuzzy Hash: bd894c16b925bf47383670132f57ab59696ebb029a5c6ef06e915c12a1590ec6
Instruction Fuzzy Hash: BBF0F475A54218A6DB04E7A4CE62BFF77BCAB81360F840D19BC62632C2EA60590C8360

Function 009D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009D7493
_wcslen.LIBCMT ref: 009D74B9

Strings

3, 3, 16, 1, xrefs: 009D7483

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 8f71418e76299ea4a0afc8d9e9092c24f3f1802c2004b3c4af397f72d6ce3358
Instruction ID: 06780e3fd8a32412ffe5b629a0b5153cab9ac44a74d11c15ddc466514c6bc780
Opcode Fuzzy Hash: 8f71418e76299ea4a0afc8d9e9092c24f3f1802c2004b3c4af397f72d6ce3358
Instruction Fuzzy Hash: 50E02B0324422061923212BA9CC1B7F968EDFC5B90710982BFA89C6377FB948D9193A1

Function 009B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009B0B23

Strings

Error allocating memory., xrefs: 009B0B1C
AutoIt, xrefs: 009B0B17

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d3f4c9674dc3a80d46a03586cfc0457aa82ad6a0da2ac233b32ce1e003ffd7a8
Instruction ID: 5f475c420bdfa40f318bb72f7b6b29b74974a675feb66cb70c36146facfc366a
Opcode Fuzzy Hash: d3f4c9674dc3a80d46a03586cfc0457aa82ad6a0da2ac233b32ce1e003ffd7a8
Instruction Fuzzy Hash: F4E0D83228435876D21536557C03FC97F889F49B25F100426FBD8954C38BE22C9006A9

Function 00970D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0096F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00970D71,?,?,?,0095100A), ref: 0096F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0095100A), ref: 00970D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0095100A), ref: 00970D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00970D7F

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: fac1e2f048bff15a1fb532641566993627a4d69084102028e4366f1129e7124b
Instruction ID: 2fb3bb54c8bf0085f2663124a78c29b9dca8ba2da6ce5008f3e933d622f288ba
Opcode Fuzzy Hash: fac1e2f048bff15a1fb532641566993627a4d69084102028e4366f1129e7124b
Instruction Fuzzy Hash: 10E06DB02003818FD370DFB9E4543567BE4AB90744F00892DE896CA795DBB0E8498B91

Function 009C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 009C302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 009C3044

Strings

aut, xrefs: 009C3038

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5cf26e11848f23724dc5e25c9a39c6f319294ab6046fdd77fff0137c76b3077c
Instruction ID: d80fd4da982593b65e52accf7aa96c7caec9c7f412651bff5e5b778bd0622177
Opcode Fuzzy Hash: 5cf26e11848f23724dc5e25c9a39c6f319294ab6046fdd77fff0137c76b3077c
Instruction Fuzzy Hash: 87D05BB150032477DA2097949C4DFC73A6CEB04751F0005517795D6195DAB0D985CAD0

Function 009AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009AD220

Strings

X64, xrefs: 009AD2A8
%.3d, xrefs: 009AD22B

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 5d768f07013083dab2fb97d0fd107f3c28879b3eec6597bc8fee3b7314ba3f24
Instruction ID: 58b8409b6545d0fb8777b12b61b91123d1d8cd8b14d0e9d5b2d113a0e96d0514
Opcode Fuzzy Hash: 5d768f07013083dab2fb97d0fd107f3c28879b3eec6597bc8fee3b7314ba3f24
Instruction Fuzzy Hash: B7D062A1C0A119E9CB5096E0DC45AF9B37CBB59341F548C52FD27A1440D62CD549E7A1

Function 009E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009E233F

Part of subcall function 009BE97B: Sleep.KERNEL32 ref: 009BE9F3

Strings

Shell_TrayWnd, xrefs: 009E2325

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 62ca99f1b51759a5515e2e0a59d109ebda24a6fb1b9f5d8e5ac3a40423308cca
Instruction ID: d972308c61d83a98b3f05bdc74814183c3b54e77bc31d7d919fdcca3d1930626
Opcode Fuzzy Hash: 62ca99f1b51759a5515e2e0a59d109ebda24a6fb1b9f5d8e5ac3a40423308cca
Instruction Fuzzy Hash: 0BD0C9763A9350BAE664A7709C4FFC66A18AB40B10F0049167685AA1D0C9A0A8469A58

Function 009E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E236C
PostMessageW.USER32(00000000), ref: 009E2373

Part of subcall function 009BE97B: Sleep.KERNEL32 ref: 009BE9F3

Strings

Shell_TrayWnd, xrefs: 009E2365

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b5ec0fc71cbb7598a3ab7ea69b4bf8b83c0bb3dd1698933d1c8d79f8f57f2e49
Instruction ID: 90194114ca1b8cf8222e7e26588b072fe60efd11a6bab25fe275262c82ab27f1
Opcode Fuzzy Hash: b5ec0fc71cbb7598a3ab7ea69b4bf8b83c0bb3dd1698933d1c8d79f8f57f2e49
Instruction Fuzzy Hash: 24D0C976399350BAE664A7709C4FFC66618AB44B10F0049167685EA1D0C9A0B8469A58

Function 0098BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0098BE93
GetLastError.KERNEL32 ref: 0098BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0098BEFC

Memory Dump Source

Source File: 00000000.00000002.2109751514.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2109722263.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109942994.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110056891.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110088947.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c5386a66d3fe63636a33d7ac08e38e65e3e233f0bdc6174cafc5987c655b227e
Instruction ID: 9205bb88d067005f7541fa2f08e8408e2340ce833d6fb54e42d153ab38cff728
Opcode Fuzzy Hash: c5386a66d3fe63636a33d7ac08e38e65e3e233f0bdc6174cafc5987c655b227e
Instruction Fuzzy Hash: 1141E935604206AFCF21BF65CC54BBA7BA9EF42710F284169FA599B3A2DB309D01DB50

Analysis Process: firefox.exePID: 7240, Parent PID: 2200COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001A4C87186B2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001A4C8718717

Strings

4, xrefs: 000001A4C871C799
#, xrefs: 000001A4C8718742
>, xrefs: 000001A4C871C7BF
#, xrefs: 000001A4C8716A85
>, xrefs: 000001A4C871951C
#, xrefs: 000001A4C87197F1
>, xrefs: 000001A4C8718779
z, xrefs: 000001A4C871874B
z, xrefs: 000001A4C8719CF6
A, xrefs: 000001A4C871870F

Memory Dump Source

Source File: 00000011.00000002.3315180691.000001A4C8716000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001A4C8716000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1a4c8716000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: ec30d295b7223277f26af1db54a63a8654c1fcff6c3452d5f69f8d5c059b85a2
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 9DA3E63171AA588BEB2EDF18CC852E973E5FB99710F14422ED84EC7255EF74E9028781

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2129735197.000001F3DA1CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2192426625.000001F3E4881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251126983.000001F3E488C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2192426625.000001F3E48F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264156938.000001F3E48F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274991604.000001F3E48F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2255824399.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253548176.000001F3E2175000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202533742.000001F3DAA75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2253548176.000001F3E2175000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193712540.000001F3E2175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2255824399.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253548176.000001F3E2175000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202533742.000001F3DAA75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2192426625.000001F3E4881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261368129.000001F3DA173000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251126983.000001F3E488C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2192426625.000001F3E48F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264156938.000001F3E48F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274991604.000001F3E48F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2255824399.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264341911.000001F3E0E2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124072002.000001F3E0E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2255824399.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264341911.000001F3E0E2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124072002.000001F3E0E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2255824399.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253548176.000001F3E2175000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202533742.000001F3DAA75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2255824399.000001F3E0E05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253548176.000001F3E2175000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202533742.000001F3DAA75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3311017364.000001A4C8103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311460496.000002962450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3311017364.000001A4C8103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311460496.000002962450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2284576614.000001F3DAF83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3311017364.000001A4C8103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311460496.000002962450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2250775322.000001F3E48A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192426625.000001F3E48A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2244858065.000001F3E22C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192426625.000001F3E4881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193666123.000001F3E22C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2192426625.000001F3E48F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264156938.000001F3E48F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274991604.000001F3E48F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2244858065.000001F3E22C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193666123.000001F3E22C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276366206.000001F3E22CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2267956777.000001F3D95C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122540569.000001F3D95C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122540569.000001F3D95B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:60174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:60180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:60190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:60189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:60293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.5:60294 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60303 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60303 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:60305 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:60475 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:60476 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60297
Source: unknown	Network traffic detected: HTTP traffic on port 60408 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60173
Source: unknown	Network traffic detected: HTTP traffic on port 60180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60294
Source: unknown	Network traffic detected: HTTP traffic on port 60293 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60475 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60190
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60189
Source: unknown	Network traffic detected: HTTP traffic on port 60481 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60186
Source: unknown	Network traffic detected: HTTP traffic on port 60302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60185
Source: unknown	Network traffic detected: HTTP traffic on port 60181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60184
Source: unknown	Network traffic detected: HTTP traffic on port 60174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60305
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60302
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60476
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60475
Source: unknown	Network traffic detected: HTTP traffic on port 60179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60276
Source: unknown	Network traffic detected: HTTP traffic on port 60182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 60190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60172
Source: unknown	Network traffic detected: HTTP traffic on port 60186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60293
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60171
Source: unknown	Network traffic detected: HTTP traffic on port 60209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60292
Source: unknown	Network traffic detected: HTTP traffic on port 60292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60481
Source: unknown	Network traffic detected: HTTP traffic on port 60304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60408
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60209
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60476 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a1a9b383-fe25-46fd-9c87-e869a68c9ed4.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a1a9b383-fe25-46fd-9c87-e869a68c9ed4.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre